The NASA Enhanced Loopback Driver
In the preceding section we discussed usingddto carve partitions out of a bit-stream forensic image. The reason we do this is to allow us to_mount_those partitions for analysis. We found that we could use the standard loopback driver to assist us in determining the partitions contained in the image if the original drive isnot available. We also learned that we couldn’t use the standard loopback driver to actually mount the partitions.
The NASA Computer Crimes Division has developed an Enhanced Loopback Driver that takes steps toward solving these issues. It is available in several forms from the following site:
ftp://ftp.hq.nasa.gov/pub/ig/ccd/enhanced_loopback/
The documentation (located at the same place) is clear, and the installation is fairly straightforward. Although you should_always_keep in mind that when you are messing with the system kernel, you are acting as a brain surgeon on your computer. It’s always possible that it won’t wake up again (won’t boot). For the most part, this is recoverable with a boot disk, but the process can be frustrating and time consuming.
The Enhanced Loopback driver is actually a kernel module. It is made available as a part of a full kernel pre-compiled binary, or as a full kernel source package that you can customize and compile yourself. If you wish to try the NASA Loopback Kernel, consider using the pre-compiled binary. If you are interested in learning to compile your own kernel for forensic use, then I would suggest reading Thomas Rude’s (Farmerdude) thorough paper on the subject at:
http://www.crazytrain.com/monkeyboy/FSK.pdf
Farmerdude offers some detailed information on what the kernel is, how it works, and options available to you to make your kernel fit your needs. Do not underestimate the importance of this subject to your continued Linux education. The benefits and dangers of compiling a custom kernel are outside the scope of this beginner’s guide, but I would strongly suggest you read Farmerdude’s paper if you have any desire to learn more nuts and bolts Linux. There is aplethora of information available at Farmerdude’s website regarding Linux and its application as a forensic platform at