Destroying evidence
Forensic experts agree that most mistakes occur just after a security breach has occurred. Administrators try to get the system going again as fast as possible by rebooting it, installing updates, or copying a standard image; consumers panic and try to delete embarrassing tracks of Internet use once they have seen dialer fees on their telephone bills. In addition, we should keep in mind that anything you do with standard tools included with the operating system affected may destroy potential evidence or at least make it worthless for use in court.
Therefore, the first thing you should do is make and authenticate a forensically correct image of all data affected without changing the original data. If you have to or are able to investigate a live system, the data should be backed up in the order of their half-life -- in other words, starting with the most volatile data. Experts do not agree on which specific procedure is best in which case. Most of the time, the systems affected have already been switched off, and investigations therefore mainly focus on permanent data carriers. For this reason, we will only be concerned with a 'dead' system in the following.
A forensically correct image is an exact copy of a data carrier. It should be created independent of its logical organization, the file system used, and any errors at that level. Physical errors have to be handled robustly so they can be understood later. The authentication and immune ability of the original medium should be demonstrable as far as possible.
The most important tool for forensic analysis is therefore sufficient hard drive space to back up the hard drive as a file. You can add an additional drive to the system to be investigated for an image that will later be studied on another computer; experts work with extra hard drives connected via SCSI, USB or FireWire to the system to be studied. If you spend a little more time, the image can also be directly created on the target workstations within your network.
Generally, commonly used imaging tools are not good enough to create a forensically correct image. Primarily designed for performance and optimized to take up little space, they normally leave out free sectors. They may also change the original medium and cannot handle errors in the structure of the file system. But that is exactly what we need to do if, for instance, a virus or a hacker has deleted the partition table at the end of an attack.
The tool called "dd" included in every Linux distribution may not seem very powerful, but it fulfils all of the requirements listed above. In the US government's Computer Forensic Tool Testing Program [1], dd was the only imaging tool that passed all of the tests with flying colours. Even such well known commercial products as Encase and SafeBack had a few shortcomings in these tests.
The normal version of dd only creates a pure image. It almost does not matter what kind of medium is being copied. If Linux supports it, dd can make an image of it. In particular, dd can make images of all kinds of hard drives, optical drives, floppy disks, USB stick, memory cards, and even RAM.
For authentication, common Linux tools such as md5sum, md5deep and sha1sum can be used. A typical flow to create a forensically correct image could look as follows:
md5sum /dev/hda > hash.txt
dd if=/dev/hda of=/mnt/sda1/cases/4711.dd
md5sum /dev/hda >> hash.txt
md5sum /mnt/sda1/cases/4711.dd >> hash.txt
Here, /dev/hda is the IDE drive to be backed up. This image will land in a directory in the first partition of an external SCSI/USB drive that Knoppix mounts under /mnt/sda1. /dev/hda is not, however, connected to the system.
If no physical errors have occurred, the three hash values generated by md5sum will correspond, thus proving 1) that the files were correctly copied and 2) that they were not changed. The netcat tool can be used to facilitate the transport of the images thus created across a network.
Start by opening a mini-server on the target computer to write all of the incoming data into one file:
nc -l -p 4711 > 4711.dd
The data read out are then entered into this file:
dd if=/dev/hda | nc <target-host> 4711
Naturally, the md5 hashes should be compared. If you only want to make an image of specific data records on one file system -- known as a drive in Windows jargon -- you can also back up individual partitions instead of entire drives and have dd read out of hdaX instead of hda (X=1, 2, etc.) That facilitates subsequent analyses but is only useful if the partition table has not been damaged. In the process, you also lose all of the information stored outside of the file system, such as in the master boot record. Experts therefore always work with images of entire drives.
The US Defense Department's Computer Forensic Lab has developed an expanded version of dd called dcfldd, which calculates the md5 hash. And if you need to work with defective data carriers, dd_resque can help. However, it is often better to have professional rescue labs take care of suspicious data carriers before too much material is lost. (All of the tools can be downloaded via the links at the end of this article.)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
