Forensic Guide To Linux

The Law Enforcement and

Forensic Examiner

Introduction to Linux

A Beginner's Guide

Barry J. Grundy

Special Agent

NASA Office of Inspector General Computer Crimes Division Code 190 Greenbelt Rd.

Greenbelt, MD 20771

(301) [email protected]

VER 2.0.5

January 2004

LEGALITIES3

FOREWORD4

AWORD ABOUT THE“GNU”INGNU/LINUX5

WHYLEARNLINUX?5

I. INSTALLATION6

DISTRIBUTIONS7

INSTALLATIONMETHODS:9

INSTALLATIONOVERVIEW10

THENEW2.6LINUXKERNEL12

II. LINUX DISKS, PARTITIONS AND THE FILESYSTEM13

DISKS13

PARTITIONS13

USING MODULES15

MODULES ONNEWER SYSTEMS16

THEFILESYSTEM17

III. THE LINUX BOOT SEQUENCE(SIMPLIFIED)19

BOOTING THE KERNEL19

INITIALIZATION20

RUNLEVEL21

GLOBALSTARTUPSCRIPTS22

BASH22

IV. DOS / LINUX EQUIVALENT COMMANDS24

"DOSCOMMAND"=LINUX EQUIVALENT24

ADDITIONAL USEFUL COMMANDS27

FILEPERMISSIONS29

METACHARACTERS31

COMMANDHINTS32

PIPES ANDREDIRECTION32

THESUPERUSER33

V. EDITING WITH VI35

USINGVI35

VI COMMAND SUMMARY36

VI. MOUNTING FILE SYSTEMS ON DISKS37

THEMOUNTCOMMAND37

THE FILE SYSTEM TABLE(/ETC/FSTAB)39

VII. LINUX AND FORENSICS41

INCLUDEDFORENSICTOOLS41

ANALYSIS ORGANIZATION42

DETERMINING THE STRUCTURE OF THE DISK43

CREATING A FORENSIC IMAGE OF THE SUSPECT DISK44

MOUNTING A RESTORED IMAGE45

FILEHASH46

THE ANALYSIS47

MAKING A LIST OF ALL FILES48

MAKING A LIST OF FILE TYPES49

VIEWING FILES49

SEARCHING UNALLOCATED AND SLACK SPACE FOR TEXT51

VIII. COMMON FORENSIC ISSUES54

HANDLING LARGE DISKS54

PREPARING A DISK FOR THE SUSPECT IMAGE56

IX. ADVANCED (BEGINNER) FORENSICS58

THECOMMANDLINE ONSTEROIDS58

FUN WITHDD64

SPLITTING FILES AND IMAGES64

DATACARVING WITH DD66

CARVING PARTITIONS WITHDD69

THENASAENHANCEDLOOPBACKDRIVER74

DETERMINING THESUBJECTDISKFILESYSTEMSTRUCTURE76

X. ADVANCED FORENSIC TOOLS80

SLEUTHKIT81

AUTOPSY88

SMARTFORLINUX100

OTHERADVANCEDLINUXFORENSICTOOLS104

XI. BOOTABLE LINUX DISTRIBUTIONS105

TOMSRTBT-BOOT FROM A FLOPPY105

KNOPPIX-FULLLINUX WITHOUT THE INSTALL105

PENGUINSLEUTH-KNOPPIX WITH A FORENSIC FLAVOR105

WHITEGLOVELINUX-DR.FREDCOHEN106

SMARTFORLINUX-IT’S BOOTABLE!106

CONCLUSION107

XI. LINUX SUPPORT108

WEB SITES TO CHECK FOR SUPPORT:108

Legalities

All trademarks are the property of their respective owners.

© 1998-2004 Barry J. Grundy ([email protected]): This document may be redistributed, in its entirety, including the whole of this copyright notice, without additional consent if the redistributor receives no remuneration and if the redistributor uses these materials to assist and/or train members of Law Enforcement or Security / Incident Response professionals. Otherwise, these materials may not be redistributed without the express written consent of Barry J. Grundy.

Foreword

This purpose of this document is to provide an introduction to the GNU/Linux (Linux) operating system as a forensic tool for computer crime investigators. There are better books written on the subject of Linux(by better qualified professionals), but my hope here is to provide a single document that allows a user to sit at the shell prompt (command prompt) for the first time and not be overwhelmed by a 700-page book.

Tools available to investigators for forensic analysis are presented with practical exercises. This is by no means meant to be the definitive “how-to” on forensic methods using Linux. Rather, it is astarting pointfor those who are interested in pursuing the self-education needed to become proficient in the use of Linux as an investigative tool. Not all of the commands offered here will work in all situations, but by describing thebasiccommands available to an investigator I hope to “start the ball rolling”. I will present the commands, the reader needs to follow-up on the more advanced options and uses. Knowing_how_these commands work is every bit as important as knowing what to type at the prompt. If you are even an intermediate Linux user, then much of what is contained in these pageswill be review. Still, I hope you find some of it useful.

Over the past couple of years I have repeatedly heard from colleagues that have tried Linux by installing it, and then proceeded to sit back and wonder “what next?” You have a copy of this introduction. Now download the exercises and drive on.

As always, I am open to suggestions and critique. My contact information is on the front page. If you have ideas, questions, or comments, please don’t hesitate to call or e-mail me. Any feedback is welcome.

This document is often updated. Check for newerversions (numbered on the front page) on the NASA Headquarters FTP site or in the “resources” section of the Ohio HTCIA website:

ftp://ftp.hq.nasa.gov/pub/ig/ccd/linuxintro/

http://www.ohiohtcia.org/resource.html

A word about the “GNU” inGNU/Linux

When we talk about the Linux operating system, we are actually talking about the GNU/Linux operating system (OS). Linux itself is_not_an OS. It is just a kernel. The OS is actually a combination of the Linux kernel and the GNU utilities that provide the tools allowing us to interact with the kernel. Which is why the proper name for the OS is “GNU/Linux”. We (incorrectly) call it “Linux” for convenience.

Why Learn Linux?

One of the questions I hear most often is: “why should I use Linux when I already have [insert Windows GUI forensic tool here]?”

There are many reasons why Linux is quickly gaining ground as a forensic platform. I’m hoping this document will illustrate some of those attributes.

• Control – not just over your forensic software, but the whole OS and attached hardware.

• Flexibility – boot from a CD (to a complete OS), file system support, platform support, etc.

• Power – A Linux distribution_is_a forensic tool.

Another point to be made is that simply knowing_how_Linux works is becoming more and more important. While many of the Windows based forensic packages in use today are fully capable of examining Linux systems, the same cannot be said for the examiners.

As Linux becomes more and more popular, both in the commercial world and with desktop users, the chance that an examiner will encounter a Linux system in a case becomes more likely (especially in network investigations). Even if you elect to utilize a Windows forensic tool to conduct your analysis, you_must_at least be familiar with the OS you are examining. If you do not know what is normal, then how do you know what does not belong? This is true on so many levels, from the actual contents of various directories to strange entries in configuration files, all the way down to how files are stored. While this document is moreabout Linux as a forensic tool rather than analysis of Linux, you can still learn a lot about how the OS works by actually_using_it.