Categories
Apache
Computer Forensics
Config Files
DNS/Bind
Linux
Postfix
Simple Shell Scripts
X-Windows
Archives
|
Giant FAT32 Partitions
Sunday, July 10, 2005
|
I recently needed to make a bizarrely huge FAT32 partition (1.6TB) to
write some files from a DOS-based program. Most OS's and add-on
applications (Maxtor Maxblast & Partition Magic) will make a really
large FAT32 partition but you won't be able to access anything more than
128GB because of how the are created. Curtis Rose told me about a
little used flag in the Linux mkfs.vfat or mkdosfs tool. All you need
to do is:
mkfs.vfat -F 32 /dev/sda or mkdosfs -F 32 /dev/sda
See "man mkfs.vfat or man mkdosfs" for information on why this works.
It works really well and formats very fast.
Categories ::Computer Forensics:: ::Linux::
|
Building A Bootable Linux Distribution For Computer Forensics, Incident Response Or Network Security Testing
Sunday, May 01, 2005
|
I've been meaning to post this set of instructions for some time. I've
been finished with it since the beginning of March but haven't been able
to find the time to do the edits necessary to publish it until now.
The document is a complete set of instructions from initial hard disk setup to
X-Windows desktop configuration of how to build your own bootable Linux
CD-ROM for computer forensics, incident response or network security
testing. The instructions will work with
Feather Linux or
Knoppix or just about any distribution based upon Knoppix.
Your
probably asking yourself two questions: #1 Why did you do this? There
are plenty of instructions out there on building a bootable Linux
distribution and #2 What makes your instructions better?
The
answer to these questions is that most of the instructions out there
have a lot of gaps in them or assume that the reader knows the next
logical step to take. Some of the instructions out there also conflict
with themselves and others. I spent a lot of time making sure that my
instructions made no instructions about the reader other than they could
operate in a Linux environment. I made sure that the instructions went
from the basics of setting up the hard disk for remastering all the way
to making your own icons for the X-Windows manager.
These
instructions are angled a building a bootable Linux CD-ROM for wireless
security testing but the methods used would apply to building a
distribution for anything that you might be interested in. You'll notice
in the instructions that I couldn't help but throw in some computer
forensics and network security testing tools. I've built twenty-five
versions of this distribution now so I'm pretty sure that the
instructions work. If you find any error, omissions or just plain
problems please
email me and I'll see about fixing it.
Download Documentation of the Development of a Bootable Linux Distribution
Categories ::Computer Forensics:: ::Config Files:: ::Linux::
|
Making Forensic Images Of Backup Tapes Using DCFLDD
|
I recently had a strange client request that we extract all of the data
from some backup tapes in DD format and pass them on for further
analysis. This wasn't that first time that we had received such a
request and I want to acknowledge the work of Keith J. Jones, co-author
of the upcoming book
Real Digital Forensics, in making this posting possible. Keith did all of
the hard work up front figuring out how to make the darn tape drive work
and how to actually figure out block sizes.
The first thing you need to do is make sure that you've got a SCSI card
with a 68-pin connector in your Linux system. I recommend using a solid
Adaptec SCSI card like the
AHA-2940. You really can't go wrong with Adaptec SCSI cards, there is
driver support for Adaptec cards in almost every OS. I used Fedora Core
3 for all the duplication, you could probably also use a bootable CD-ROM
like
Knoppix but I like an installed OS for really long processes like this.
Knoppix does have automatic detection and driver support for Adaptec
SCSI controllers.
Next your going to need a tape drive. I recommend checking
The Linux Tape Device Certification Program web site before purchasing
your tape drive. Tape drives are expensive and it's best to be sure that
you are going to get hardware that someone else has actually had some
luck with before dropping big bucks. I always check the certification
list before purchasing a tape drive and I've never had a drive that
wouldn't work. When it comes to getting a tape drive right away I
recommend
CDW, they aren't always the cheapest but when you need the equipment right
and right away you can count on them. I've been using the same account
manager at CDW at four different companies for the past ten years and
they have never disappointed me. It's also nice to be able to call an
account manager and find out critical information prior to making your
purchase, like does a SCSI cable come included with the tape drive?
I've used Sony, Quantum, Overland and HP tape drives over the past 4-5
years and have found all but the HPs to be very reliable. I've
experienced a number of drive failures and robot arm failures on HP
systems.
Once you have all the equipment together and connected it is time to get
started. The first thing you should do is write-protect your source
tape. There is no magic to write protecting the tape it is usually just
a slider on the back or side of the tape. The magic is in figuring out
which way the slider has to be positioned to be write-protected. The
only good way to figure this out if you don't have the instructions that
are packaged with the tape is to go to the manufactures web site and dig
the information up. Beware that write-protection on some tapes is
not perfect you can still erase some tapes even when the write-protect
is activated.
Now we can get down to business. SCSI tape devices on a Linux system are
recognized as /dev/st0 and /dev/nst0. /dev/nst0 is the same tape device
as /dev/st0 but the /dev/nst0 tells the tape drive not to automatically
rewind the tape. For everything we do here we want to use /dev/nst0.
Obviously if you have more than one tape drive attached they will be
/dev/st0, /dev/st1 and so on. Be sure to check the dmesg if you
are having problems (dmesg | less). Good dmesg out put should look like
this:
SCSI subsystem initialized
scsi0 : Adaptec AIC7XXX
EISA/VLB/PCI SCSI HBA DRIVER, Rev 6.2.36
<Adaptec 2940 Ultra SCSI
adapter>
aic7880: Ultra Wide Channel A, SCSI Id=7, 16/253 SCBs
(scsi0:A:5): 20.000MB/s transfers (10.000MHz, offset 8, 16bit)
Vendor: QUANTUM Model: SDLT600 Rev: 1E1E
Type: Sequential-Access ANSI
SCSI revision: 04
st: Version 20041025, fixed bufsize 32768, s/g segs
256
Attached scsi tape st0 at scsi0, channel 0, id 5, lun 0
st0:
try direct i/o: yes (alignment 512 B), max page reachable by HBA 1048575
With your tape in the drive the first thing we want to do is rewind the
tape and move it to the first file or file 0. Some tape drives like my
new Quantum SDLT 600 drive do this automatically when you put a new tape
it but other don't. Type the following:
mt asf 0
The asf
tells the drive to position the tape at the beginning of the count file.
Positioning is done by first rewinding the tape and then spacing forward
over count filemarks. But lets check just to make sure. Type the
following:
mt status
This should verify for you that you
are at the beginning of the tape and on file 0. There are a bunch of
codes that the mt status command will show that are of use to you:
BOT - Beginning Of Tape
EOT - End Of Tape
EOD - End Of Data
Next
we start the process of copying data and more importantly trying to
guess what block size the tape backup software that created the tape
used to write the tape. There is no real science to this part just some
logical guessing. First mount up a drive that you are going to dd the
tape data out to, in our example we will assume that our target drive is
/mnt/storage. Then start by trying the smallest block size first. Type
the following:
dcfldd if=/dev/nst0 of=/mnt/storage/file0.img
bs=512b
If everything is good you will get a number of blocks
copied from the tape to /mnt/storage directory and a positive dcfldd
output that looks like:
20044080+0 records in
20044080+0
records out
20525137920 bytes transferred in 5665.925325 secs
(3622557 bytes/sec)
Remember from my
previous postings on dd that +0 is good and +1 or +2 is bad. You will also
probably get some kind of error message from the tape drive if you
didn't read any data. If the read failed you have to repeat the whole
process and increment the block size. Type the following:
mt asf
0 <---to move the tape back to file 0
mt status <---just to make
sure we are back on file 0 and at BOT
dcfldd if=/dev/nst0
of=/mnt/storage/file0.img bs=1k <---notice that we have incremented the
block size to 1k
Here is the bad news. You don't know how many
files are going to be on the tape and they may have different block
sizes. I usually find that the blocks are 512 bytes, 1k, 4k, 16k, 32k
and 64k. Different tape backup softwae from different manufactures can
create files in a variety of different block sizes on a tape. Some tape
backup software creates tape lead-ins and lead-outs that are small like
two blocks of 512 bytes and then writes all other files in 16k blocks.
Once you have successfully found the right block size and copied
file0.img the tape will now be on file 1. It is important that you keep
track of what file number you are working on so that when you do the mt
asf # command you don't mess up and keep copying the same file over and
over. For example after having successfully copied file 0 you would do
the following:
dcfldd if=/dev/nst0 of=/mnt/storage/file1.img
bs=1k <---notice we changed the file name
If everything went
well you just keep copying away but if it errors you have to go back to
file 1 by typing:
mt asf 1 <---rewinds the tape back to file 1
dcfldd if=/dev/nst0 of=/mnt/storage/file1.img bs=2k <---notice we changed the
block size
You want to just keep repeating this process until you
get an EOD or EOT notice from mt status. When you are done copying all
of the data off the tape you can rewind and eject the tape by typing:
mt offline
Once you have finished copying all the data I recommend generating MD5
sums of all of the files. You could do this while doing the dcfldd but I
like to write all of the hash values to a single file when I'm finished.
The easiest way to do this is to use
MD5deep from VirtualWar friend Jessie Kornblum. MD5deep allows you to
recursively examine a dirctory and make MD5 hashes of every file in the
directory and every subdirectory. Type the following:
md5deep -r
–e -l /mnt/storage/* > md5sums.txt
The -r tells md5deep
to recurse, the -e provides an estimate of how long the md5 hash will
take to compute for each file and the -l tells md5deep to only output
the file name not the absolute path into the log file. Be sure to read
the man page for md5deep for more options. Generating MD5 hashes of
large files can take several hours, for example a 100GB file takes about
3 1/2 hours to compute on a 3Ghz P4. It can take 10-15 hours to compute
all of the MD5 hash values for an entire tape.
I'm hoping to get a chance to write a shell script to automate this
whole process in the near future. Check back to see.
Categories ::Computer Forensics:: ::Linux::
|
Using dcfldd
Sunday, October 31, 2004
|
Anyone involved in computer forensics for any period of time has probably heard of dcfldd the forensic rebuild of dd that was done by the Department of Defense Computer Forensics Laboratory (DCFL) in Linthicum, Maryland. The DCFL no longer maintains dcfldd but it can still be found in source at the DMZS-Biatchux Bootable CD Distro site on SourceForge.net. Unfortunately there isn't a lot of love for dcfldd anymore and it hasn't been updated since 2002. I've also found that the source won't compile on Fedora Core 1 or 2 without this patch provided by Kevin Kult.
The patch process is simple just type: patch dcfldd.c dcfldd_patch.txt
Wham, boom, you are ready to compile per the directions.
You might be asking yourself why is Brian bothering with all of this stuff when he could just use dd? The answer is simple 1) a progress status indicator; 2) automatic MD5 hashing.
I really don't like how normal dd just sits there, especially when I'm doing something tedious like /dev/zeroing a 300GB disk. dcfldd provides a running progress counter that makes me feel good about life. The MD5 hashing just saves time if you are using dcfldd for forensic duplication. dcfldd has two switches that give you different ways of get your MD5 hash values.
hashwindow=xxx This allows you to get a MD5 hash sum of the image every so many kilobytes. I found that it will accept as high as 9 exabytes as a value. It just spits the hash value to the screen unless you use the hashlog switch.
hashlog=filename This allows you to dump the hash value out to a file that you can compare to later.
Here's an example of all of that used together:
dcfldd if=/dev/hdb of=/mnt/external_drive conv=noerror, notrunc, sync hashwindow=999999999999999 hashlog=/mnt/external_drive/hashfile.log
Of course, that is all one really long command.
Categories ::Computer Forensics:: ::Linux::
|
Remastering Knoppix Linux for Computer Forensics and Incident Response
Saturday, September 11, 2004
|
Recently as part of a project I started remastering Knoppix Linux 3.6 to make my own bootable Linux distribution specifically designed for computer forensics and incident response. While there are already a bunch of Knoppix distributions out there that claim to be for forensics and IR most of them are just a big pile of redundant security tools thrown on a CD without any real thought.
As part of the project I also wanted to have functioning X-Windows and for the grand finally fit it all on a 210MB mini-CD. Not because I need a mini-CD but because the are cool.
While I haven't completely succeeded in getting my remastered distribution just the way I want it yet, I have made dozens of completely workable distributions. I wanted to share some to the scripts that I have built (count that as stole heavily from other people scripts) to speed up the remastering process.
#!/bin/sh
## setup.sh
## This script automates all the basic steps of preparing to remaster Knoppix
## The script assumes that you have already created and formatted a partition
## of 1GB or more on /dev/hda1.
## Brian Dykstra, Sep 04.
## Credits: Klaus Klopper, 2004
## http://www.knoppix.net/docs/index.php/KnoppixRemasteringHowto
##
echo -e "\nSetting system time\n"
ntpdate clock2.redhat.com
echo -e "\nFormatting /dev/hda1\n"
mke2fs -j /dev/hda1
echo -e "\nMounting /dev/hda1\n"
mount -t ext3 /dev/hda1 /mnt/hda1
echo -e "Drive mounted\n"
echo -e "Creating directories and swap\n"
mkdir /mnt/hda1/knx
cd /mnt/hda1/knx
dd if=/dev/zero of=swapfile bs=1M count=750
mkswap swapfile
swapon swapfile
mkdir -p /mnt/hda1/knx/master/KNOPPIX
mkdir -p /mnt/hda1/knx/source/KNOPPIX
echo -e "\nCopying source files from the CD-ROM\n"
cp -Rp /KNOPPIX/* /mnt/hda1/knx/source/KNOPPIX
cp /cdrom/index.html /mnt/hda1/knx/master/
cd /cdrom;find . -size -10000k -type f -exec cp -p --parents {} /mnt/hda1/knx/master/ \;
echo -e "All ready to chroot!\n"
Download setup.sh
#!/bin/sh
## postchroot.sh
## This script sets you up properly after moving into the chroot env for remastering.
## Brian Dykstra, Sep 04.
## Credits: Klaus Klopper, 2004
## http://www.knoppix.net/docs/index.php/KnoppixRemasteringHowto
##
mount -t proc /proc proc
echo -e "Updating /etc/resolv.conf\n"
echo nameserver 68.54.80.5 >> /etc/resolv.conf
ping -c 5 www.google.com
echo -e "\nUpdating the package list\n"
apt-get update
Download postchroot.sh
#!/bin/sh
## makeCD.sh
## Make the cloop compressed ISO 9660 filesystem and ISO 9660 image.
## Brian Dykstra, Sep 04.
## Credits: Klaus Klopper, 2004
## http://www.knoppix.net/docs/index.php/KnoppixRemasteringHowto
##
rm -rf /mnt/hda1/knx/source/KNOPPIX/.rr_moved
mkisofs -R -U -V "Your Linux" -P "www.domain.com" -hide-rr-moved -cache-inodes -no-bak -pad /mnt/hda1/knx/source/KNOPPIX | nice -5 /usr/bin/create_compressed_fs - 65536 > /mnt/hda1/knx/master/KNOPPIX/KNOPPIX
cd /mnt/hda1/knx/master
rm -f KNOPPIX/md5sums
find -type f -not -name md5sums -not -name boot.cat -not -name isolinux.bin -exec md5sum {} \; >> KNOPPIX/md5sums
mkisofs -pad -l -r -J -v -V "Your Linux" -no-emul-boot -boot-load-size 4 -boot-info-table -b boot/isolinux/isolinux.bin -c boot/isolinux/boot.cat -hide-rr-moved -o /mnt/hda1/knx/your.iso /mnt/hda1/knx/master
Download makeCD.sh
Categories ::Computer Forensics:: ::Config Files:: ::Linux:: ::Simple Shell Scripts:: ::X-Windows::
|
I Keep Forgetting All That Fancy TAR Stuff
Sunday, July 25, 2004
|
If you are like me (not a full-time sysadmin) you frequently forget how to do some of the most common things. That is what this page is all about. One of the things that I only have to do infrequently in create a tarball.
Create a simple tarball of a directory: tar -cvf tarfile_name.tar /directory_to_tar
Technically you don't have to use the dash but I'm old school and older versions of tar might complain.
Create a tarball with gzip compression: tar -czvf tarfile_name.tar.gz /directory_to_tar
Create a tarball with bzip2 compression: tar -cjvf tarfile_name.tar.bz2 /directory_to_tar
This next one is one that I frequently use. I want to tar everything in a directory except a certain subdirectory:
tar -cvf tarfile_name.tar --exclude=/subdirectory_name /directory_to_tar
I know all of this stuff in in the man pages but I get tired of looking it up every time I want to do something simple. Enjoy.
Categories ::Computer Forensics:: ::Linux::
|
Using losetup to make a dd image into a device
Thursday, February 12, 2004
|
You might want to take a look at one of those dd image files you made. losetup lets you turn an image file into a /dev so that you can do just that.
losetup /dev/loop0 /mnt/storage/disk.1.img
If you do a fdisk -l you will see that you now have a /dev/loop0. /dev/loop0 can now be mounted like any other disk partition.
Categories ::Computer Forensics:: ::Linux::
|
Using dd to wipe a hard disk
|
You can completely wipe a hard disk of all other data by using dd to write all zeros to the disk.
dd if=/dev/zero of=/dev/hdc
If you view the disk afterwards with a hex editor you will find that it contains all zeros.
Categories ::Computer Forensics:: ::FreeBSD:: ::Linux::
|
Using dd to copy a hard disk to CD-ROM
|
If you are in the mood you can use dd to copy the contents of a hard disk to CD-ROM.
dd if=/dev/hdc of=/mnt/storage/disk.1.img bs=1024 skip=0 count=620 conv=noerror, notrunc, sync
dd if=/dev/hdc of=/mnt/storage/disk.2.img bs=1024 skip=621 count=620 conv=noerror, notrunc, sync
dd if=/dev/hdc of=/mnt/storage/disk.3.img bs=1024 skip=1241 count=620 conv=noerror, notrunc, sync
As you can see from the example it is necesary to use the skip switch to move forward 620+1 blocks for each new CD-ROM. Otherwise we would have copies of the same 620 blocks on each CD-ROM.
The whole disk image could actually be recreated by doing:
cat disk.1.img disk.2.img disk.3.img > whole_disk.img
Categories ::Computer Forensics:: ::FreeBSD:: ::Linux::
|
Basic use of dd
|
Using dd properly has been one of those things that I have put off forever because the command string looked really long and man page is less than clear. As it turns out nothing could be farther from the truth. Once you know what it is all about dd is extremely simple.
As a basic example lets assume that we want to copy a floppy disk. Floppy disks are great for practicing on. No chance of hurting your system.
The basic command is:
dd if=/dev/fd0 of=/storage/floppy.img
The example assumes that your floppy drive is /dev/fd0 and that you have a directory on your system named /storage that is suitable for copy an image into. Now for the specifics of what just happened.
if - Specifies the input file to be read
of - Specifies the output file to be written
Writing the image back to another floppy disk goes like this:
dd if=/storage/floppy.img of=/mnt/floppy
Doesn't get much simpler than that. If we want to get fancy we can add some other switches.
bs - Specifies the block size, in bytes, to be read and written. The default on most systems is 512 bytes. Bigger blocks means that the transfer goes faster but if there are errors the missed number of bytes in the copy are larger.
count - Specifies the number of blocks to copy from the input file to the output file. This is useful if you want to break a large disk up into CD-ROM size images.
skip - Specifies the number of blocks to skip from the beginning before reading from the input file.
conv - Allows extra arguments to be specified as follows:
notrunc - Will not allow the output to be truncated in case of an error.
noerror - Will not stop reading the input file in cae of an error (i.e. bad blocks).
sync - Will fill the corresponding output bits with zeros when and input error occurs. This only occurs if used with notrunc.
Now for a couple of examples using it all:
dd if=/dev/hdc of=/dev/hdd bs=1024 conv=noerror, notrunc, sync
This example does a bit-for-bit copy of the hard disk /dev/hdc to the hard disk /dev/hdd. At the end of the process the drives should be identical.
dd if=/dev/hdc of=/mnt/storage/disk.img bs=1024 conv=noerror, notrunc, sync
This example does a bit-for-bit copy of the hard disk /dev/hdc into a file called disk.img on /mnt/storage.
Lastly you want to make sure your disk imaged properly. The primary indicator is the output of the dd command. If everything went well you will see something like:
20044080+0 records in
20044080+0 records out
20525137920 bytes transferred in 5665.925325 secs (3622557 bytes/sec)
What your are looking for is that the "records in" and "records out" both have a +0 (meaning the matched). The +0 indicates that everything went well. If you see something like the following, things went bad.
20044079+1 records in
20044080+0 records out
20525137920 bytes transferred in 5665.925325 secs (3622557 bytes/sec)
Categories ::Computer Forensics:: ::FreeBSD:: ::Linux::
|
|
