In association with heise online

29 June 2006, 17:44

Holger Morgenstern

Digital autopsy

Computer forensics with Open Source tools


If you have experienced a security breach, the first step is to collect evidence. The goal is not only to find clues, but also to preserve them so that they can be used in court. Open Source tools perform indispensable services towards both of these ends.

What is the best way to react to a security breach in your IT system? Recently, more and more companies, organizations, and individuals have been asking this question. If there is even a remote chance that the event could play a role in a legal dispute or in criminal prosecution, you have to take special care to preserve the evidence. Unfortunately, errors are committed either out of ignorance, with good intentions, or as a panic response, destroying proof of the criminal activity for good or making it worthless in court.

The field of computer forensics deals with the preservation of such evidence. As in other areas of criminal prosecution, the goal here is to collect, analyse, and reconstruct as much relevant evidence as possible for an unbiased presentation in court that everyone can understand.

Not magic

Some people think of computer forensics as a modern type of Black Magic that somehow reconstructs or decrypts data that have allegedly been destroyed. Information no one knew anything about suddenly pops up, and copiers used in-house disclose confidential documents. But as astonishing as the results may sometimes look, even the best forensic expert cannot conjure up any data that are no longer physically present. But dangers also lurk here: computer forensics requires quite a bit of system knowledge, and you have to know exactly what you are doing lest a few confused parameters turn a couple of the tools presented here into digital paper shredders. In addition, data protection and privacy rights also have to be taken into consideration for such analysis.

In addition to secret services and criminal prosecutors, who normally have their own forensics departments, data rescue firms have moved into computer forensics -- and they are keeping their methods to themselves. A couple of renowned commercial hardware and/or software products on the international market -- such as Encase, SafeBack, or SMART -- are used in criminal prosecution.

In addition, there is a great variety of Open Source tools that can be used in computer forensics; some were even specially developed for this purpose. Open Source applications have some obvious advantages when it comes to preservation for courts. In legal disputes, evidence has to be presented without bias and must be available at all times for review by third parties. When the tools used are based on Open Source code, such reviews are possible without further ado, whereas with closed-source applications you can only trust the reputation of the service provider or have black box tests conducted, neither of which will truly dismiss all doubt. Open Source code also offers forensic experts a significant boost up the learning curve and can facilitate quick reactions to new requirements when experts are able to tweak tools individually to suit specific purposes.

Dr. Tux

Even a completely normal Linux includes tools that allow for the imaging, authentication, deletion and scanning of various storage media. To begin with, Linux handles everything -- including hardware -- as a file, which gives forensic experts far-reaching control options and possible applications. The options range from access restrictions to the replication across different platforms and the way the operating system interacts with the media concerned. The latter aspect is especially important because the first commandment in computer forensics -- and other criminology -- is that evidence must not be altered. Normally, for example, special hardware or software write-blockers are needed for such investigations; with Linux, you need only mount in the read-only mode.


The standard version of Linux supports a very large number of file systems. The use of loop-back devices, the redirecting and forwarding of standard input and output, and the monitoring and logging of processes and commands are additional benefits of Linux.

As the systems to be studied after a security breach and the operating systems they run on are generally no longer trustworthy -- system components may have been exchanged or manipulated -- they should not be used for a forensic investigation. Here, Linux also performs well as it is relatively easy to create bootable media with integrated, statically linked tool sets. The Knoppix system is an ideal starting point to secure evidence as it can copy the entire content of the hard drive without changing the system under study.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit