Uvod v delo z GNU/Linux

Naloge

  • Ustvari kopijo zgoščenke (.iso).
  • Poišči VSE datoteke na sliki furry.iso. Ali so vsi mucki pridni?
  • Preglej diske na polz.si/dsrf tako, da jih ne pokvariš.

Imeniška struktura

Uvod (verjetno lahko preskočite)

Podatki, ki naj se ob ponovnem zagonu ohranijo, so spravljeni v datotekah. Vsaka datoteka se nahaja v imeniku. Vsak imenik lahko vsebuje skoraj poljubno število imenikov ali datotek.

Imeniki so urejeni v drevesno strukturo. Na vrhu je korenski imenik. Vsak imenik vsebuje dva posebna podimenika: ".", ki predstavlja imenik sam, ter "..", ki predstavlja starša. Starš korenskega imenika je sam korenski imenik.

Da podatke lahko preberemo ali zapišemo, moramo datoteko odpreti. V ta namen moramo operacijskemu sistemu podati pot do datoteke.

Pot do datoteke je sestavljena iz imen imenikov, ki jih je potrebno zaporedoma odpreti, da pridemo do datoteke, obdanih z znakoma "/", ter na koncu ime datoteke. Ker je vsak imenik podimenik korenskega, se vsaka pot začne s "/".

Poleg imenikov in datotek operacijski sistem podpira tudi naprave, ki se z uporabniškega stališča obnašajo (skoraj) enako kot datoteke.

Imeniška struktura (preberite, če večinoma uporabljate Windows)

Večina Linux distribucij razporeja datoteke v skladu s standardom FSH.

Uporaba Linux za zajem forenzičnih slik

Kar se tiče zajema podatkov z diska, je prednost Unixu podobnih OS pred na primer Microsoft Windows ta, da lahko diske in ostale podatkovne nosilce obravnavamo kot navadne datoteke. Poleg tega Linux podpira večino obstoječih datotečnih sistemov. To pomeni, da je GNU/Linux dobra platforma za razvoj orodij za digitalno forenziko.

Slabost GNU/Linux je, da je manj razširjen, zato zanj manj podjetij razvija programe. Ker je digitalna forenzika področje, s katerim se pogosto ukvarjajo ljudje, ki niso računalničarji (na primer policisti), podjetja, ki se preživljajo z razvojem programov za digitalno forenziko, svoje produkte razvijajo večinoma za operacijski sistem Microsoft Windows.

Tipični postopek zajema podatkov na nešifrirani napravi

Ves spodnji postopek seveda natančno dokumentiramo.

  • Izklopimo napravo.
  • Izvlečemo disk(e).
  • Diske priklopimo na napravo za branje diskov, ki ne spreminja podatkov (npr. pravilno nastavljen sistem z GNU/Linux ali specializirano strojno opremo).
  • Skopiramo vse podatke z diska.
  • Izračunamo varnostne vsote.

Kako najdemo napravo, ki predstavlja disk

Prva možnost je, da ob priklopu naprave pregledamo, kaj je izpisalo jedro, z ukazom dmesg:

polz@polzevpc ~/p/f/v/02(540|)>  sudo dmesg
[669093.950519] usb 1-1: new high-speed USB device number 55 using xhci_hcd
[669094.108967] usb 1-1: New USB device found, idVendor=0781, idProduct=a7a8, bcdDevice= 1.27
[669094.108974] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[669094.108977] usb 1-1: Product: SDDR-113
[669094.108979] usb 1-1: Manufacturer: SanDisk Corp.
[669094.108981] usb 1-1: SerialNumber: 6333011111B1
[669094.109653] usb-storage 1-1:1.0: USB Mass Storage device detected
[669094.113387] scsi host2: usb-storage 1-1:1.0
[669095.114612] scsi 2:0:0:0: Direct-Access     SanDisk  SDDR-113         1.00 PQ: 0 ANSI: 0
[669095.114991] sd 2:0:0:0: Attached scsi generic sg2 type 0
[669095.953324] sd 2:0:0:0: [sdc] 63404032 512-byte logical blocks: (32.5 GB/30.2 GiB)
[669095.953735] sd 2:0:0:0: [sdc] Write Protect is off
[669095.953740] sd 2:0:0:0: [sdc] Mode Sense: 03 00 00 00
[669095.954110] sd 2:0:0:0: [sdc] No Caching mode page found
[669095.954115] sd 2:0:0:0: [sdc] Assuming drive cache: write through
[669095.989137]  sdc: sdc1
[669095.991959] sd 2:0:0:0: [sdc] Attached SCSI removable disk

Druga možnost je, da uporabimo ukaz lsblk:

polz@polzevpc ~/p/f/v/02(540|)> lsblk
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
loop0            7:0    0   1.5G  0 loop  /home/polz/live_build/mnt
sda              8:0    0 931.5G  0 disk
├─sda1           8:1    0   953M  0 part
├─sda2           8:2    0   954M  0 part  /boot
└─sda3           8:3    0 929.7G  0 part
  └─sdb3_crypt 253:0    0 929.7G  0 crypt /
sdb              8:16   0 119.2G  0 disk
├─sdb1           8:17   0   512M  0 part  /boot/efi
├─sdb2           8:18   0   244M  0 part
└─sdb3           8:19   0 118.5G  0 part
sdc              8:32   1  30.2G  0 disk
└─sdc1           8:33   1  30.2G  0 part

Kako skopiramo podatke

Za samo kopiranje lahko uporabimo preprosto ukaz cat in preusmeritev:

polz@polzevpc ~/p/f/v/02(540|)> cat /dev/sdX > /home/forenzik/disk_X.raw

Za izdelavo kopij diskov, na katerih so slabi sektorji, lahko uporabimo ddrescue:

polz@polzevpc ~/p/f/v/02(540|)> ddrescue /dev/sdX

Za izdelavo kopij diskov, ki se bodo pogosto kopirale, je mogoče dobro uporabiti format, pri katerem se varnostne vsote izračunajo ne le za celoten disk, ampak tudi za dele diska. Takšen format je Advanced Forensics Format:

polz@polzevpc ~/iso> affconvert mojdisk.raw mojdisk.aff

Tipični postopek zajema podatkov na šifrirani napravi

  • xkcd.
  • Pregled naprave snemamo / drugače dokumentiramo.
  • Izvlečemo pomembne podatke, običajno tako, da v napravo bolj ali manj nasilno vdremo.

Orodja za delo s slikami diskov

Ko smo zajeli sliko diska, bi običajno radi dostopali do datotek, ki so na njem spravljene. Da bi do njih lahko prišli, moramo najprej dobiti sliko razdelka, na katerem je datotečni sistem. To lahko storimo na več načinov.

kpartx

Orodje, ki omogoča jedru, da obravnava datoteko, kot bi bila disk, in z nje prebere tabele z razdelki in podobno. Glavna slabost je, da v primeru, če datoteko izbrišemo, naprava še vedno kaže na bloke, ki jih je datoteka prej zasedala. Ta slabost lahko vodi k "zanimivim" rezultatom.

Poleg tega je vsaj do leta 2016 (asistent tega kasneje ni testiral) veljalo, da lahko pri več sočasnih oziroma hitro zaporednih zagonih kpartx lahko v jedru pride do smrtnega objema.

Za priklop diska s kpartx lahko uporabimo:

kpartx -a slikadiska.raw

Zaznani razdelki so potem dostopni v /dev/mapper/loopXpY, kjer sta X in Y številki diska in razdelka.

Po zaključku dela disk nujno odklopimo:

kpartx -d slikadiska.raw

qemu-nbd

Orodje, razvito v okviru projekta qemu. Omogoča, da katero koli sliko navideznega diska uporabimo kot bločno napravo, priklopljeno na omrežje (network block device, NBD). Ker podpira tudi "surove" (raw) navidezne diske, ga lahko uporabimo tudi za pregled slik fizičnih diskov, ki smo jih zajeli.

Za priklop diska (X nadomestite s številko naprave):

modprobe nbd max_part=128
qemu-nbd -c /dev/nbdX slikadiska.raw

Zaznani razdelki so potem dostopni v /dev/nbdXpY, kjer sta X in Y številki diska in razdelka.

Za odklop:

qemu-nbd -d /dev/nbdX

libguestfs

Knjižnica, razvita za popravljanje in delo s slikami navideznih diskov. Deluje tako, da zažene navidezen stroj, ki mu potem lahko pošlje ukaze, kot naprimer "priklopi disk", "beri datoteko" in podobno. Gonilniki za datotečne sisteme praviloma niso pisani tako, da bi delovali pravilno na pokvarjenih datotečnih sistemih. To pomeni, da lahko priklop slike diska povzroči sesutje sistema ali celo izvajanje zlonamerne kode. Libguestfs nas pred to nevarnostjo zavaruje.

Za priklop diska uporabimo:

guestmount -a slikadiska.raw -m /dev/sda1 --ro /moj/imenik

Do datotek na prvem razdelku potem dostopamo v /moj/imenik

Pričakovani problemi

Težave pri pregledovanju diskov na sodobnih računalnikih praviloma izvirajo iz dejstva, da večina uporabnikov hoče, po tem, ko so na računalnik disk priklopili, dostopati do podatkov na njem.

To preprečimo preprosto tako, da s sistema, s katerim zajemamo slike diskov, tovrstna orodja odstranimo, ali pa jih izklopimo.

mdadm

Ob priklopu diska, ki je bil del skupine RAID, orodja mdadm poizkusijo sestaviti skupino. Pri tem se lahko spremeni čas zadnjega priklopa diska, kar pomeni, da se spremenijo varnostne vsote, to pa naredi dokazno gradivo manj zaupanja vredno.

Poleg tega lahko začne rekonstrukcijo oziroma ponovno sestavljanje skupine diskov, kar pomeni, da se izgubi precej podatkov.

lvm

Ob dodajanju diska (physical volume), ki je del LVM skupine, orodja LVM2 poizkusijo sestaviti skupino. Pri tem se lahko spremeni čas zadnjega priklopa diska, kar pokvari varnostne vsote in naredi dokazno gradivo manj zaupanja vredno.

policykit

Policykit skrbi, da navadni uporabniki lahko priklapljajo diske - na primer ob vstavitvi ključka USB. Ob vstavitvi diska lahko, če je zagnano primerno namizje, priklopi datotečni sistem in potencialno uniči dokaze.


Getting started with GNU / Linux

Tasks

  • Make a copy of the CD (.iso).
  • Find ALL the files in the picture furry.iso. Are all kittens good?
  • Review the disks at polz.si/dsrf so that you do not modify them.

Directory structure

Introduction (you can probably skip this)

The data to be retained on restart is stored in files. Each file is located in a directory. Each directory can contain almost any number of directories or files.

The directories are organized into a tree structure. At the top is the root directory. Each directory contains two special subdirectories: ".", which represents the directory itself, and "..", which represents the parent. The root directory parent is the root directory itself.

In order to read or write data, we need to open that file. To do this, we must provide the operating system with a file path.

The file path consists of directory names that need to be opened sequentially to get to the file, they are enclosed in "/" and at the end we have the file name. Since each directory is a subdirectory of root directory, each path starts with "/".

In addition to directories and files, the operating system also supports devices that behave (almost) the same as files from a user standpoint.

Directory structure (read if you mostly use Windows)

Most Linux distributions distribute files according to standard FSH.

Using Linux to capture forensic disk images

In terms of disk data capture, the advantage of Unix-like OS over Microsoft Windows, for example, is that we can treat disks and other media as regular files. In addition, Linux supports most existing file systems. This means that GNU / Linux is a good platform for developing digital forensics tools.

The disadvantage of GNU/Linux is that it is less widespread, so fewer companies develop programs for it. Because digital forensics is an area often dealt with by non-computer people (for example, police officers), companies that make digital forensics software, mostly develop their products for Microsoft Windows.

A typical process of capturing data from an unencrypted device

The entire procedure below is, of course, carefully documented. - Turn off the device. - We pull out the disk(s). - We connect the disks to a device for reading disks, that does not modify the data (e.g. a properly configured system with GNU/Linux or specialized hardware). - We copy all the data from the disk. - We calculate the checksums.

How to find a device that represents a disk

The first option is to check what the kernel has displayed, when we connected the device to the computer, with the command dmesg:

polz@polzevpc ~/p/f/v/02(540|)>  sudo dmesg
[669093.950519] usb 1-1: new high-speed USB device number 55 using xhci_hcd
[669094.108967] usb 1-1: New USB device found, idVendor=0781, idProduct=a7a8, bcdDevice= 1.27
[669094.108974] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[669094.108977] usb 1-1: Product: SDDR-113
[669094.108979] usb 1-1: Manufacturer: SanDisk Corp.
[669094.108981] usb 1-1: SerialNumber: 6333011111B1
[669094.109653] usb-storage 1-1:1.0: USB Mass Storage device detected
[669094.113387] scsi host2: usb-storage 1-1:1.0
[669095.114612] scsi 2:0:0:0: Direct-Access     SanDisk  SDDR-113         1.00 PQ: 0 ANSI: 0
[669095.114991] sd 2:0:0:0: Attached scsi generic sg2 type 0
[669095.953324] sd 2:0:0:0: [sdc] 63404032 512-byte logical blocks: (32.5 GB/30.2 GiB)
[669095.953735] sd 2:0:0:0: [sdc] Write Protect is off
[669095.953740] sd 2:0:0:0: [sdc] Mode Sense: 03 00 00 00
[669095.954110] sd 2:0:0:0: [sdc] No Caching mode page found
[669095.954115] sd 2:0:0:0: [sdc] Assuming drive cache: write through
[669095.989137]  sdc: sdc1
[669095.991959] sd 2:0:0:0: [sdc] Attached SCSI removable disk

Alternatively, we can use the command lsblk:

polz@polzevpc ~/p/f/v/02(540|)> lsblk
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
loop0            7:0    0   1.5G  0 loop  /home/polz/live_build/mnt
sda              8:0    0 931.5G  0 disk
├─sda1           8:1    0   953M  0 part
├─sda2           8:2    0   954M  0 part  /boot
└─sda3           8:3    0 929.7G  0 part
  └─sdb3_crypt 253:0    0 929.7G  0 crypt /
sdb              8:16   0 119.2G  0 disk
├─sdb1           8:17   0   512M  0 part  /boot/efi
├─sdb2           8:18   0   244M  0 part
└─sdb3           8:19   0 118.5G  0 part
sdc              8:32   1  30.2G  0 disk
└─sdc1           8:33   1  30.2G  0 part

How can we copy the data

For copying we can use a simple command cat and redirection:

polz@polzevpc ~/p/f/v/02(540|)> cat /dev/sdX > /home/forenzik/disk_X.raw

For making copies of disks, which have bad sectors, we can use the command ddrescue:

polz@polzevpc ~/p/f/v/02(540|)> ddrescue /dev/sdX

For making copies of disks, which will often copied, it is smart to use a format, where checksums are calculated not only for the entire disk, but also for each part of the disk. This type of format is Advanced Forensics Format:

polz@polzevpc ~/iso> affconvert mojdisk.raw mojdisk.aff

A typical process of capturing data from an encrypted device

  • xkcd.
  • The device analysis is being recorded/otherwise documented.
  • We extract important information, usually by hacking it more or less violently.

Disk imaging tools

When we make a disk image, we would normally like to access the files stored on it. To get there, we first need to get an image of the partition that the file system is on. There are many ways to do this.

kpartx

A tool that allows the kernel to treat a file as if it were a disk and read partition tables from it etc. The main drawback is that if a file is deleted, the device still points to the blocks that they were previously occupied by the file. This weakness can lead to "interesting" results.

In addition, at least until 2016 (the assistant did not test it later), it was believed that several concurrent or fast sequential kpartx startups can cause a hug if death in the kernel.

To attach a disk with kpartx we can use:

kpartx -a slikadiska.raw

The detected partitions are then accessible in /dev/mapper/loopXpY, where X and Y present the number of the disk and partition.

After the work is completed it is necessary to disconnect the disk:

kpartx -d slikadiska.raw

qemu-nbd

Tool developed within the project qemu. Allows any virtual disk image to be used as a block device connected to the network (network block device, NBD). Because it also supports "raw" virtual disks, it can also be used to view images of physical disks we have captured.

To attach a disk (substitute X with the number of the device):

modprobe nbd max_part=128
qemu-nbd -c /dev/nbdX slikadiska.raw

The detected partitions are then accessible in /dev/nbdXpY, where X and Y present the number of the disk and partition.

To disconnect a disk:

qemu-nbd -d /dev/nbdX

libguestfs

A library designed to repair and manipulate virtual disk images. It works by starting a virtual machine, which can then send commands to it, such as "mount a disk", "read a file" and the like. As a rule, file system drivers are not designed to function properly on corrupt file systems. This means that mounting a disk image can cause the system to crash or even execute malicious code. Libguestfs protects us from this danger.

To attach a disk, we can use:

guestmount -a slikadiska.raw -m /dev/sda1 --ro /moj/imenik

The files in the first section can be accessed in /moj/imenik

Expected problems

As a rule, the difficulty of analyzing disks on modern computers stems from the fact that most users, after having attached a disk to their computer, want to have access to the data on it.

This can be prevented simply by removing or shutting down such tools from the disk image capture system.

mdadm

When you attach a disk that was part of a RAID group, mdadm tool tries to rebuild a group. By doing this the timestamp that represents the last time a disk was connected can be changed, which means that the checksums change, making the evidence less trustworthy.

It can also begin reconstructing or reassembling a group of disks, which means that a lot of data is lost.

lvm

When you add a disk (physical volume) that was part of an LVM group, LVM2 attempts to rebuild a group. By doing this the timestamp that represents the last time a disk was connected can be changed, which means that the checksums change, making the evidence less trustworthy.

policykit

Policykit makes sure that ordinary users can attach disks - for example, when inserting a USB stick. When USB stick is inserted, if a suitable desktop is running, it can plug in the file system, and potentially destroy the evidence.

Last modified: Friday, 3 April 2020, 5:14 PM