unix lab

841- Advanced Computer Forensics

Unix Forensics Lab

******************************************************************************

To challenge yourself, you may work on the advanced Unix forensics lab analyzing the Lewis USB image and writing a report about this case. See the file UNIXForensicslab-usb for details.

******************************************************************************

Objective

This lab will use Autopsy, Sleuthkit and foremost to analyze a given image. Read the entire document before starting to be sure you have all the necessary tools and files required to complete the lab. You should further explore the tools used in this lab to ensure your familiarity with alternative investigation options.

Deliverable

Answer all the exercise questions and include screenshots as supporting data if necessary.

OPTIONS:

You can work on this lab by

1. using a bootable live CD, for example, backtrack 5

2. using the RLES vCloud.

3. using SANS Investigate Forensic Toolkit (SIFT) Workstation,

http://computer-forensics.sans.org/community/downloads

.

4. installing the software on your own system (check the appendix for more installation details).

If you choose to use the RLES vCloud, please continue.

Lab Setup for using RLES vCloud

This lab is designed to function on the RLES vCloud via
https://rlesvcloud.rit.edu/cloud/org/NAT

. Please FIRST read the
RLES VCLOUD user guide
in myCourses > Content > Hands-on Labs.

Special Browser Setting Requirement (See RLES VCLOUD user guide)

In order to view the console of virtual machines, the VMRC plugin must be installed within the browser. The first time the console is accessed, the plugin can be downloaded. In Internet Explorer,

https://rlesvlcoud.rit.edu

must be added to the Local intranet zone.

(Go to Tools -> Internet Options -> Security tab -> Local intranet, click the Sites button, click Advanced and add the URL.)

The interface is available by navigating to https://rlesvcloud.rit.edu/cloud/org/NAT. (Yes, we know the certificate wasn’t issued by a commonly trusted certificate authority. Also check the user guide for your browser compatibility).

Use your RIT Computer Account credentials to gain access to the rlesvcloud interface.

To start, you will first create your vApp by following the instructions of
Add a vApp Template to My Cloud
in the RLES VCLOUND user guide. Make sure to follow the vApp name convention defined in the RLES VCLOUND user guide and select the vApp template, 841_Linux_Forensics, from the Public Catalogs. No network/IP address is needed for this lab.

Double click on the virtual machine to power it on, now you should have a Linux forensics machine with all the forensics’ tools to provide you with a highly interesting experience in forensics investigation. Login to the virtual machine with

Username:

 

root

 

Password: netsys 

Exercise 1: Using Autopsy and Sleuthkit

Requires: floppy.dd disk image (located in the Images folder on desktop).

Review http://www.sleuthkit.org/sleuthkit/tools.php, which lists all of the tools that make up Sleuthkit. Make sure to review all commands now otherwise this lab will be extremely difficult to complete.

Autopsy 2.21 was installed in /usr/local/autopsy‐2.21/ with default evidence locker: /usr/local/evidence 

To Start autopsy: 

Start a terminal (go to applications -> Accessories->Terminal) and type in

$ /usr/local/autopsy-2.21/autopsy

While this process is running, open a web browser point it to the URL indicated – 

http://localhost:9999/autopsy

 

Click on “New Case”.

Enter “UnixLab-Case01” as the case name; then click “New Case”. Confirm the information and click “OK”. (Names with spaces will not work.)

Click “Add Host”.

Enter “Host1” under “Host Name” and “EST” under “Timezone” and click “Add Host”.

Question 1: What other information can be set?

Confirm the information and click “ADD HOST”.

Click “Add Image”.

Click “ADD IMAGE FILE”.

Select “Partition” instead of “Disk”.

In “Location” type the path to the image file “floppy.dd”. (The file floppy.dd is located in the fold called Images on desktop.)

In “Import Method” select “Copy to Evidence Locker”.

Question 2: What other options are available to you? When might you want to use the alternatives?

The md5 hash value for floppy.dd is: ee54a82de158cb154252439c88d6859e

Review the options for checking / creating md5’s and select the appropriate entry based on the information you currently have.

Question 3: Which selection did you make and why?

Autopsy and Sleuthkit identifies the file system type to be fat12.

Question 4: How would you determine the file system type of an image file? Include a screenshot to support your statement.

In “Mount Point” type “a:\”

Question 5: Why might the ”original mount point” setting be useful?

Click “Add”.

Confirm the information and click “OK”.

Click “Analysis” and choose “FILE ANALYSIS”

Click some of the files shown. In the information window at the bottom click on the “display” and “report” links.

Question 6: What information can you get from “File Analysis”?

From here you can recover any of the files shown, including deleted ones. Next you will recover a deleted file.

Choose one of the deleted files. In the information window click “Export”.

Depending on your browser, it will either ask you to save the file or it will automatically create the file in you downloads folder.

Question 7: How can you determine that a file has been deleted?

Try opening the file. Run the “file” command on the file on your terminal.

Question 8: What other information available from the “file” command? Include a screenshot to support your statement.

Click “File Type”. Then click “Sort Files by Type”. Then click “OK”.

Question 9: What other options are available? How might they be useful in an investigation?

Copy the URL of “Output can be found by viewing”. Then open a new browser window, paste the URL into the new window and load the page.

Question 10: What similarities and differences can you observe between the current page and the new page you opened? Is there any additional information available on either page? How might you use any such information (if it exists)?

The Sorter Output window shows you how many of each file type were found (categories can be added). Click one of the file type links.

Question 11: What information are you shown and why is this information useful?

Click on “Meta Data” and provide a valid inode number.

Question 12: Knowing an inode number, how can one determine the data blocks referenced by that inode (provide both a GUI answer and a CMD-LINE answer).

Click on “Image Details” and read the information given.

Question 13: What information can you get from this window?

Question 14: What is a superblock and what is its purpose?

Click “Close”.

Back in the “Host Manager” click “File Activity Timelines”.

Click “Create Data File”.

Select the disk image and click “OK”

Confirm the information.

Question 15: What command line tools were run? What other options can be passed to these tools?

Click “OK”.

In the “Create Timeline” window you can select the starting and ending dates of file activity that you want to see. For this lab you will choose none so you will see all activity.

Under “Enter the file name to save as” enter “fa_lab2”

Click “OK”.

Note where the timeline is saved to and click “OK”.

Note the information. Click the links at the top to look at other dates.

Question 16: What is the significance of the information? How might this be useful?

Click “Close”.

Back to “Host Manager” click “Image Integrity”.

Question 17: What comparisons are being made? How does it know?

Click “OK”.

Question 18. Explore any other features of Autopsy & Sleuthkit, and include any interesting results.

After you are done, close the case by clicking “Close Host” then “Close Case”. You can reopen the case to work on it later if you choose to.

Exercise 2: Using Foremost

“Foremost is a console program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.” (From the Foremost website)

Read the document from

http://foremost.sourceforge.net/foremost.html

to understand more about foremost and how to setup the foremost.conf.

Run
foremost
against the floppy.dd disk image in your terminal.

Question 19: What files did it identify? Did it match the extension of the file?

Question 20: Why is foremost capable of being independent of filesystem, volume, and media?

APPENDIX

(If you choose to run this lab on your own system!)

You may use a Helix 1.9 or later version of live Linux CD (

http://www.e-fense.com/helix/

) instead of install all the software to your system. The Helix live CD includes all the software (Except PTK) you need for this lab. If you do not have a Linux/Unix system, a live Linux CD is definitely your choice. If you use Helix live CD, you can skip “Installing software”

A. Installing Autopsy and Sleuthkit

Download the latest version of Autopsy and Sleuthkit from http://www.sleuthkit.org/sleuthkit/download.php and http://www.sleuthkit.org/autopsy/download.php

BE SURE to verify the source code using gpg

Install Sleuthkit:

Select the latest version of Sleuthkit and unpack the distribution to /usr/local

Compile the source code (run “make”).

Copy the manfiles for sleuthkit to the appropriate locations in /usr/share/man to make the man pages available to your relative path.

The readme files that accompany the software contain a great deal of important information. Right now, read the /usr/local/autopsy/README file. It will give you an overview of Sleuthkit.

Install the Autopsy Forensic Browser

Choose the latest version of Autopsy and unpack the distribution to /usr/local

Compile the source code (run “make”).

Copy the manfiles for Autopsy to the appropriate locations in /usr/share/man to make the man pages available to your relative path.

The readme files that accompany the software contain a great deal of important information. Right now, read the /usr/local/autopsy/README file. It will give you an overview of Autopsy.

When prompted for the Sleuthkit directory, enter the directory where you installed Sleuthkit.

When prompted for the NIST National Software Reference Library (NSRL) hit n because we will not be using that for this lab.

When prompted for the location of the Evidence locker, enter /usr/local/evidence. (This directory needs to be created otherwise the autopsy program generates an error when is starts up.)

*** NOTE: This directory has been specified for ease of use in this lab exercise. In the field it would be suggested to create a partition on the hard drive or another hard drive and mount that into the filesystem in its own location (away from system files – e.g. usr, home, etc.). In this way the partition or hard drive could be cleaned of any old evidence (zero’d) before new evidence is written to it, thereby preventing contamination of any evidence. ***

B. Installing Foremost

 

Download the latest version of foremost from

http://foremost.sourceforge.net/

Make and install the software.

Copy the man page to the proper directory.

Pan, 4055-841
Page 7 of 7
UNIX ForensicsLab