All the extras
The Open Source project AIR-Imager (automated image and restore) makes it easier to use these tools and also includes a graphical user interface to control dd & Co. It facilitates the selection of source and target drives, the use of compression, network transfer, automatic authentication, and the deletion of devices. AIR-Imager can use either normal dd or dcfldd.
The TK interface on AirImager makes it easier to use such tools as dd, md5sum and netcat.
The ODESSA (Open Digital Evidence Search and Seizure Architecture) project, which is still in an early development phase, provides some initial analysis functions during the process of creating an image. It is based on a client/server structure that enables forensic work to be done within a LAN. Among other things, it uses a plug-in interface to calculate hash values, search for strings, and extract files based on header and footer signatures.
Forensic analysis
Once forensic copies have been made of all of the data carriers affected, the originals should be stored safely. Subsequent analyses will only be made from the copies. This safety measure ensures that independent third parties will be able to replicate findings reliably. Furthermore, images should only be mounted in the read-only mode for inspection to prevent unintended changes, among other things.
In the field of analysis, Linux offers a number of tools and mechanisms to sift through files. The loopback device is especially useful in practice; it allows for a forensic dd image to be mounted in the read-only mode:
mount -o loop,ro hda1.dd /mnt/test1
For the rest of the analysis, you can continue to work as though the physical data carrier were in the system. If the image was made of an entire drive, you have to mount partitions with suitable offsets or extract them via dd [2]. Here, the staff at NASA has come up with an enhanced loopback device that makes work even easier by interpreting the partition information automatically in an image file.
For the analysis, experts like to use such tools as grep, strings, find, file and hexedit. Unfortunately, the memory media to be investigated continue to grow in size, and even the best forensic expert cannot handle a 200 gigabyte hard drive with a hex editor by a reasonable deadline. Special tools are needed to automate parts of the analysis and reduce manual work to a reasonable level.
Trackers at work
Since 1999, a very comprehensive collection of Open Source tools appropriately called The Coroner's Toolkit (TCT) and developed by Dan Farmer and Wietsa Venema has been available for the postmortem analysis of a UNIX system after a security breach. Among other things, the collection includes such tools as grave-robber and mactime, which find information about access data in the file system, even if the files have been deleted. unrm and lazarus restore deleted files. TCT is platform-specific: the platforms for the analysis and the investigation have to be the same. Brian Carrier has further developed TCT to get around this shortcoming. His Sleuth Kit, which was known as TASK until recently, runs on various versions of UNIX, including Linux. It analyzes DOS, BSD, and MAC partitions as well as Sun slices, but can only read the NTFS, FAT, FFS, ext2fs and ext3fs file systems at present.
The Sleuth Kit's command line tools do not need any operating system functions to analyze images. Instead of mounting them, they resort to their own infrastructure to interpret data and metadata. They even find data hidden between partitions and support all of the attributes of NTFS files, such as alternative data streams.
In the field of computer forensics, information is not only relevant if it is file content. In some cases, valuable evidence was provided from access patterns -- called media access (MAC) times -- contained in the file system. The Sleuth Kit provides some excellent tools to create a timeline of events with consideration of the original time zone and any time skews. It can also take account of other time-based event protocols, such as the log files of proxy servers, firewalls, etc., import them, and include them in a timeline.
The media handled today often contain very large amounts of data. The operating systems used today contain a lot of files themselves. For instance, a Windows 2000 installation has almost 6,000 image files. It can therefore be very important for an efficient analysis of such media to filter out known files and only have a look at the rest or to have positive identification of them, such as when you are looking for pirated copies.
The US government has a comprehensive database for this purpose in which the hash values of a large number of known files are stored. This database is freely accessible, and the tools in the Sleuth Kit can include them in the investigation. [3]
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
