Linux as a Forensic Tool Intro

APractitioner'sGuidetoLinuxasaComputerForensicPlatform

[email protected]

VER3.78December2008

v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux

LEGALITIES..........................................................................................................................................4ACKNOWLEDGMENTS..............................................................................................................................4FOREWORD..........................................................................................................................................5AWORDABOUTTHEGNUINGNU/LINUX...........................................................................................6WHYLEARNLINUX?..............................................................................................................................6CONVENTIONSUSEDINTHISDOCUMENT.....................................................................................................7

I.INSTALLATION..........................................................................................................................8

DISTRIBUTIONS.....................................................................................................................................8SLACKWAREANDUSINGTHISGUIDE................................................................................................11INSTALLATIONMETHODS......................................................................................................................12SLACKWAREINSTALLATIONNOTES..........................................................................................................12DESKTOPENVIRONMENT.......................................................................................................................16THELINUXKERNEL:VERSIONSANDISSUES..............................................................................................16CONFIGURINGSLACKWARE12:2.6KERNELCONSIDERATIONS.......................................................................19

UDEV..........................................................................................................................................19HARDWAREABSTRACTIONLAYER......................................................................................................20DBUS........................................................................................................................................202.6KERNELANDDESKTOPS............................................................................................................21

ROLLINGYOUROWNTHECUSTOMKERNEL.........................................................................................21

II.LINUXDISKS,PARTITIONSANDTHEFILESYSTEM...........................................................23

DISKS...............................................................................................................................................23PARTITIONS.......................................................................................................................................23USINGMODULESLINUXDRIVERS.........................................................................................................25DEVICERECOGNITION..........................................................................................................................27THEFILESYSTEM...............................................................................................................................28

III.THELINUXBOOTSEQUENCE(SIMPLIFIED).....................................................................30

BOOTINGTHEKERNEL..........................................................................................................................30INITIALIZATION...................................................................................................................................32RUNLEVEL.........................................................................................................................................32GLOBALSTARTUPSCRIPTS....................................................................................................................33SERVICESTARTUPSCRIPTS....................................................................................................................33BASH...............................................................................................................................................34

IV.LINUXCOMMANDS..............................................................................................................36

LINUXATTHETERMINAL.......................................................................................................................36ADDITIONALUSEFULCOMMANDS............................................................................................................39FILEPERMISSIONS...............................................................................................................................41METACHARACTERS...............................................................................................................................44COMMANDHINTS...............................................................................................................................44PIPESANDREDIRECTION.......................................................................................................................44THESUPERUSER...............................................................................................................................46

V.EDITINGWITHVI...................................................................................................................47

THEJOYOFVI...................................................................................................................................47VICOMMANDSUMMARY.......................................................................................................................48

VI.MOUNTINGFILESYSTEMS..................................................................................................49

THEMOUNTCOMMAND......................................................................................................................49THEFILESYSTEMTABLE(/ETC/FSTAB).....................................................................................................51

BarryJ.Grundy 2


VII.LINUXANDFORENSICS......................................................................................................53

INCLUDEDFORENSICTOOLS..................................................................................................................53ANALYSISORGANIZATION.......................................................................................................................54DETERMININGTHESTRUCTUREOFTHEDISK..............................................................................................55CREATINGAFORENSICIMAGEOFTHESUSPECTDISK.....................................................................................56MOUNTINGARESTOREDIMAGE...............................................................................................................57MOUNTINGTHEIMAGEUSINGTHELOOPBACKDEVICE...................................................................................58FILEHASH........................................................................................................................................58THEANALYSIS....................................................................................................................................61MAKINGALISTOFALLFILES...............................................................................................................62MAKINGALISTOFFILETYPES...............................................................................................................63VIEWINGFILES...................................................................................................................................65SEARCHINGUNALLOCATEDANDSLACKSPACEFORTEXT..............................................................................66

VIII.COMMONFORENSICISSUES............................................................................................70

HANDLINGLARGEDISKS......................................................................................................................70PREPARINGADISKFORTHESUSPECTIMAGE.............................................................................................72OBTAININGDISKINFORMATION.............................................................................................................74

IX.ADVANCED(BEGINNER)FORENSICS..................................................................................76

THECOMMANDLINEONSTEROIDS.........................................................................................................76FUNWITHDD..................................................................................................................................84SPLITTINGFILESANDIMAGES.................................................................................................................84COMPRESSIONONTHEFLYWITHDD......................................................................................................87DATACARVINGWITHDD....................................................................................................................91CARVINGPARTITIONSWITHDD.............................................................................................................94DETERMININGTHESUBJECTDISKFILESYSTEMSTRUCTURE.........................................................................98DDOVERTHEWIRE.........................................................................................................................101

X.ADVANCEDFORENSICTOOLS............................................................................................104

ALTERNATIVEIMAGINGTOOLS..............................................................................................................106DC3DD.....................................................................................................................................106DDRESCUE.................................................................................................................................113BADSECTORSDDRESCUE............................................................................................................119BADSECTORSDC3DD................................................................................................................122BADSECTORACQUISITIONCONCLUSIONS......................................................................................124

LIBEWFWORKINGWITHEXPERTWITNESSFILES................................................................................125SLEUTHKIT......................................................................................................................................134SLEUTHKITINSTALLATIONANDSYSTEMPREP...........................................................................................136SLEUTHKITEXERCISES........................................................................................................................138SLEUTHKITEXERCISE#1DELETEDFILEIDENTIFICATIONANDRECOVERY.....................................................139SLEUTHKITEXERCISE#2PHYSICALSTRINGSEARCH&ALLOCATIONSTATUS................................................150SLEUTHKITEXERCISE#3UNALLOCATEDEXTRACTION&EXAMINATION.......................................................157SLEUTHKITEXERCISE#4NTFSEXAMINATION:FILEANALYSIS................................................................163SLEUTHKITEXERCISE#5NTFSEXAMINATION:ADS............................................................................168SLEUTHKITEXERCISE#6NTFSEXAMINATION:SORTINGFILES................................................................171SLEUTHKITEXERCISE#7SIGNATURESEARCHINUNALLOCATEDSPACE.......................................................174SMARTFORLINUX.........................................................................................................................179SMARTFILTERING..........................................................................................................................185SMARTFILTERINGVIEWINGGRAPHICSFILES.....................................................................................187SMARTSEARCHING.........................................................................................................................189

XI.BOOTABLELINUXDISTRIBUTIONS..................................................................................194

BarryJ.Grundy 3


TOMSRTBTBOOTFROMAFLOPPY........................................................................................................194KNOPPIXFULLLINUXWITHOUTTHEINSTALL.........................................................................................194SMARTLINUXITSBOOTABLE!........................................................................................................194HELIXKNOPPIXBASEDINCIDENTRESPONSE.........................................................................................195

XII.CONCLUSION.....................................................................................................................196

XIII.LINUXSUPPORT..............................................................................................................197

PLACESTOGOFORSUPPORT:................................................................................................................197

LegalitiesAlltrademarksarethepropertyoftheirrespectiveowners.

19982008BarryJ.Grundy([email protected]):Thisdocumentmayberedistributed,initsentirety,includingthewholeofthiscopyrightnotice,withoutadditionalconsentiftheredistributorreceivesnoremunerationandiftheredistributorusesthesematerialstoassistand/ortrainmembersofLawEnforcementorSecurity/IncidentResponseprofessionals.Otherwise,thesematerialsmaynotberedistributedwithouttheexpresswrittenconsentoftheauthor,BarryJ.Grundy.

Acknowledgments

Asthisguidegrowsinlengthanddepth,sodothecontributionsIreceivefromothersinthefieldthattaketimeoutoftheirownbusydaystoassistmeinmakingsurethatthisdocumentisatleastaccurateifnottotallycomplete.Iverymuchappreciatetheproofreadingandsuggestionsmadebyall.EverytimeIgetcommentsbackonadraftversionofthisguide,Ilearnsomethingnew.

IwouldliketothankCoryAltheide,BrianCarrier,ChristopherCooper,NickFurneaux,JohnGarris,RobertJanMora,andJesseKornblumforprovidingcriticalreview,valuableinput,andinsomecases,amuchneededsanitycheckofthecontentsofthisdocument.SpecialthankstoRobbyWorkmanforprovidingveryconstructiveguidanceonSlackwaredetailsthroughouttheentireguide.Alloftheexpertiseandcontributionsaregreatlyappreciated.

Also,IwouldliketospecificallythankalloftheLinuxKernel,variousdistribution,andsoftwaredevelopmentteamsfortheirhardworkinprovidinguswithanoperatingsystemandutilitiesthatarerobustandcontrollable.Toooftenweforgettheamountofdedicationandworkthatgoesintowhatmanyendusersexpecttojustwork.

BarryJ.Grundy 4


ForewordThispurposeofthisdocumentistoprovideanintroductiontothe

GNU/Linux(Linux)operatingsystemasaforensicplatformforcomputercrimeinvestigatorsandforensicexaminers.

Thisisthethirdmajoriterationofthispaper.Thereisabalancetobemetbetweenmaintainingtheoriginalintroductorypurposeofthework,andtheconstantrequestsfromotherscoupledwithmyowndesiretoaddmoredetailedcontent.Sincethefirstrelease,thisworkhasalmostquadrupledinlength.Thecontentismeanttobebeginnerlevel,butasthecomputerforensiccommunityevolvesandthesubjectmatterwidensandbecomesmoremainstream,thedefinitionofbeginnerlevelmaterialstartstoblur.Asaresult,I'vemadeanefforttokeepthematerialasbasicaspossiblewithoutomittingthosesubjectsthatIseeasfundamentaltotheproperunderstandingofLinuxanditspotentialasacomputerforensicplatform.Anumberofpeoplehavepointedouttomethatwithinclusionofsomeofthemorecomplexexercises,thisdocumentshouldbegiventhemorefittingpractitioner'sguidemonikerratherthanbeginner'sguide.

Wefollowthephilosophythatahandsonapproachisthebestwaytolearn.GNU/Linuxoperatingsystemutilitiesandspecializedforensictoolsavailabletoinvestigatorsforforensicanalysisarepresentedwithpracticalexercises.

ThisisbynomeansmeanttobethedefinitivehowtoonforensicmethodsusingLinux.Rather,itisa(somewhatextended)startingpointforthosewhoareinterestedinpursuingtheselfeducationneededtobecomeproficientintheuseofLinuxasaninvestigativetool.Notallofthecommandsofferedherewillworkinallsituations,butbydescribingthebasiccommandsavailabletoaninvestigatorIhopetostarttheballrolling.Iwillpresentthecommands,thereaderneedstofollowuponthemoreadvancedoptionsanduses.Knowinghowthesecommandsworkiseverybitasimportantasknowingwhattotypeattheprompt.IfyouareevenanintermediateLinuxuser,thenmuchofwhatiscontainedinthesepageswillbereview.Still,Ihopeyoufindsomeofituseful.

OvertheyearsIhaverepeatedlyheardfromcolleaguesthathavetriedLinuxbyinstallingit,andthenproceededtositbackandwonderwhatnext?IhavealsoentertainedanumberofrequestsandsuggestionsforamoreexpansiveexplorationofapplicationsavailabletoLinuxforforensicanalysisattheapplicationlevel.Youhaveacopyofthisintroduction.Nowdownloadtheexercisesanddriveon.

BarryJ.Grundy 5


Asalways,Iamopentosuggestionsandcritique.Mycontactinformationisonthefrontpage.Ifyouhaveideas,questions,orcomments,pleasedonthesitatetoemailme.Anyfeedbackiswelcome.

Thisdocumentisoccasionally(infrequently,actually)updated.Checkfornewerversions(numberedonthefrontpage)attheofficialsite:

http://www.LinuxLEO.com

AwordabouttheGNUinGNU/LinuxWhenwetalkabouttheLinuxoperatingsystem,weareactually

talkingabouttheGNU/Linuxoperatingsystem(OS).LinuxitselfisnotanOS.Itisjustakernel.TheOSisactuallyacombinationoftheLinuxkernelandtheGNUutilitiesthatallowus(morespecificallyourhardware)tointeractwiththekernel.WhichiswhythepropernamefortheOSisGNU/Linux.We(incorrectly)callitLinuxforconvenience.

WhyLearnLinux?OneofthequestionsIhearmostoftenis:whyshouldIuseLinuxwhen

Ialreadyhave[insertWindowsGUIforensictoolhere]?TherearemanyreasonswhyLinuxisquicklygaininggroundasaforensicplatform.Imhopingthisdocumentwillillustratesomeofthoseattributes.

Controlnotjustoveryourforensicsoftware,butthewholeOSandattachedhardware.

FlexibilitybootfromaCD(toacompleteOS),filesystemsupport,platformsupport,etc.

PowerALinuxdistributionis(orcanbe)aforensictool.

AnotherpointtobemadeisthatsimplyknowinghowLinuxworksisbecomingmoreandmoreimportant.WhilemanyoftheWindowsbasedforensicpackagesinusetodayarefullycapableofexaminingLinuxsystems,thesamecannotbesaidfortheexaminers.

AsLinuxbecomesmoreandmorepopular,bothinthecommercialworldandwithdesktopusers,thechancethatanexaminerwillencounteraLinuxsysteminacasebecomesmorelikely(especiallyinnetworkinvestigations).EvenifyouelecttoutilizeaWindowsforensictooltoconductyouranalysis,youmustatleastbefamiliarwiththeOSyouareexamining.Ifyoudonotknowwhatisnormal,thenhowdoyouknowwhatdoesnotbelong?Thisistrueonsomanylevels,fromtheactualcontentsofvariousdirectoriestostrangeentriesinconfigurationfiles,allthewaydowntohowfilesarestored.

BarryJ.Grundy 6


WhilethisdocumentismoreaboutLinuxasaforensictoolratherthananalysisofLinux,youcanstilllearnalotabouthowtheOSworksbyactuallyusingit.

ConventionsusedinthisdocumentWhenillustratingacommandandit'soutput,youwillseesomething

likethefollowing:

Thisisessentiallyacommandline(terminal)sessionwhere...

root@rock:~#

...isthecommandprompt,followedbythecommand(typedbytheuser)andthenthecommand'soutput.Thecommandwillbeshowninboldtexttofurtherdifferentiateitfromcommandoutput.

InLinux,thecommandpromptcantakedifferentforms,dependingontheenvironmentsettings(thedefaultdiffersamongdistributions).Intheexampleabove,theformatis

user@hostname directory #

meaningthatwearetheuserrootworkingonthecomputernamedrockcurrentlyinthedirectoryroot(therootuser'shomedirectoryinthiscase,thehomedirectoryissymbolizedbytheshorthandrepresentationofthetilde~).Notethatforarootloginthecommandprompt'strailingcharacteris#.Ifweloginasaregularuser,thedefaultpromptcharacterchangestoa$,asinthefollowingexample:

bgrundy@rock:~$

Thisisanimportantdifference.Therootuseristhesystemsuperuser.Wewillcoverthedifferencesbetweenuserloginslaterinthisdocument.

BarryJ.Grundy

root@rock:~# command output...

7


I.Installation

Firstandforemost,knowyourhardware.IfyourLinuxmachineistobeadualbootsystemwithWindows,thenusetheWindowsDeviceManagertorecordallyourinstalledhardwareandthesettingsusedbyWindows.IfyouaresettingupastandaloneLinuxsystem,thengatherasmuchdocumentationaboutyoursystemasyoucan.ThishasbecomemuchlessimportantwiththeevolutionoftheLinuxinstallroutines.Hardwarecompatibilityanddetectionhavebeengreatlyimprovedoverthepastcoupleofyears.Someoftherecentversionsofdistributions,likeUbuntuLinux,haveextraordinaryhardwaredetection.

Harddriveknowingthesizeandgeometryishelpfulwhenplanningyourpartitioning.

SCSIadaptersanddevices(notetheadapterchipset).SCSIisverywellsupportedunderLinux.

Soundcard(notethechipset). VideoCard(importanttoknowyourchipsetandmemory,etc.). Monitortimings. Horizontalandverticalrefreshrates. Networkcard(chipset). NetworkParameters: IP(ifnotDHCP) Netmask Broadcastaddress DNSservers

Defaultgateway USBcontrollersupportisstandardincurrentdistributions. IEEE1394(Firewire)controllersupportisalsostandardincurrent

distributions.

Inthevastmajorityofcases,mostofthisinformationwillnotbeneeded.Butit'salwayshandytoknowyourhardwareifyoumusttroubleshoot.

Mostdistributionshaveaplethoraofdocumentation,includingonlinehelpanddocumentsindownloadableform.DoaWebsearchandyouarelikelytofindanumberofanswerstoanyquestionyoumighthaveabouthardwarecompatibilityissuesinLinux.

DistributionsLinuxcomesinanumberofdifferentflavors.Thesearemostoften

referredtoasdistributions(distro).Defaultkernelconfiguration,toolsthatareincluded(systemmanagementandconfiguration,etc.)andthepackage

BarryJ.Grundy 8


format(theupgradepath)mostcommonlydifferentiatethevariousLinuxdistros.

ItiscommontohearuserscomplainthatdeviceXworksunderSuseLinux,butnotonRedHat,etc.OrthatdeviceYdidnotworkunderRedHatversion9,butachangetoCentOSfixedit.Mostoften,thedifferenceisintheversionoftheLinuxkernelbeingusedandthereforetheupdateddrivers,orthepatchesappliedbythedistributionvendor,nottheversionofthedistribution(orthedistributionitself).

Here'sanoverviewofjustafewoftheLinuxdistrosthatareavailable.Selectingoneisamatterofpreference.ManyofthesedistrosnowprovidealiveCDthatallowsausertobootaCDintoafullyfunctionaloperatingenvironment.Trythemoutandseewhatpleasesyou.

RedHat/FedoraOneofthemostpopularLinuxdistributions.RedHatworkswith

companieslikeDell,IBMandInteltoassistbusinessesintheadoptionofLinuxforenterpriseuse.UseofRPMandKickstartbeganthefirstrealuserupgradepathsforLinux.RedHathaselectedtomoveintoanenterpriseorientedbusinessmodel.ItisstillaviableoptionforthedesktopthroughtheFedoraProject(http://fedoraproject.org/).Fedoraisanexcellentchoiceforbeginnersbecauseofthehugeinstallbaseandtheproliferationofonlinesupport.Theinstallroutineiswellpolishedandhardwaresupportiswelldocumented.AnotherRedHatbaseddistributionisCentOS.

DebianNotreallyforbeginners.Theinstallationroutineisnotas

polishedassomeotherdistributions.Debianhasalwaysbeenahackerfavorite.ItisalsooneofthemostnoncommercialLinuxdistributions,andtruetothespiritofGNU/GPL.(http://www.debian.org/).

SuSENowownedbyNovell,SuSEisoriginallyGermaninorigin.Itis

byfarthelargestsoftwareinclusivedistribution.(http://www.novell.com/linux/).Thereisanopensupportnetworkanddownloaddirectoryathttp://www.opensuse.org.ALiveCDisalsoavailable.

MandrivaLinuxFormerlyknownasMandrake.Mandrivaisafavoriteofmany

beginnersanddesktopusers.ItisheavyonGUIconfigurationtools,allowingforeasymigrationtoaLinuxdesktopenvironment.(http://wwwnew.mandriva.com/).

BarryJ.Grundy 9


GentooLinux Sourcecentricdistributionthatisoptimizedduringinstallone

ofmypersonalfavorites.Oncethroughthecomplexinstallationroutine,upgradingthesystemandaddingsoftwareismadeextremelyeasythroughGentoosPortagesystem.Notforbeginners,though.Youarelefttoconfigurethesystementirelyonyourown.Ifyouhaveendlesspatienceandalotoftime,itcanbeafantasticlearningexperience.(http://www.gentoo.org/).

UbuntuLinuxArelativenewcomer,UbuntuLinuxisbasedonDebianand

althoughI'venotuseditmyself,ithasareputationforfantastichardwaredetectionandeaseofuseandinstallation.(http://www.ubuntulinux.org).I'veheardthatthisisagreatchoiceforbeginners.

SlackwareTheoriginalcommercialdistribution.Slackwarehasbeenaround

foryears.Installationisnowalmostaseasyasalltheothers.GoodstandardLinux.NotoverencumberedbyGUIconfigtools.SlackwareaimstoproducethemostUNIXlikeLinuxdistroavailable.Oneofmypersonalfavorites,andinmyhumbleopinion,currentlyoneofthebestchoicesforaforensicplatform.(http://www.slackware.com/).ThisguideistailoredforusewithaSlackwareLinuxinstallation.

Lot'sofinformationonmoredistributionsthanyoucaretoreadaboutisavailableathttp://www.distrowatch.com.

MysuggestionfortheabsolutebeginnerlookingtoexperienceanoveralldesktopOSwouldbeeitherthenewestversionofFedoraCoreorUbuntu.Ifyoureallywanttodiveinandburyyourself,goforGentoo,SlackwareorDebian.Ifyouchooseoneoftheselatterdistributions,bepreparedtoreadalot.

Ifyouareunsurewheretostart,willbeusingthisguideasyourprimaryreference,andareinterestedmainlyinforensicapplicationsofLinux,thenIwouldsuggestSlackware.Moreonwhyalittlelater.

Onethingtokeepinmind:AsImentionedearlier,ifyouaregoingtouseLinuxinaforensiccapacity,thentrynottorelyonGUItoolstoomuch.AlmostallsettingsandconfigurationsinLinuxaremaintainedintextfiles(usuallyineitheryourhomedirectory,orin/etc).Bylearningtoeditthefilesyourself,youavoidproblemswheneithertheXwindowsystemisnotavailable,orwhenthespecificGUItoolyourelyonisnotonasystemyoumightcomeacross.Inaddition,knowledgeofthetextconfigurationfileswillgiveyouinsightintowhatisnormal,andwhatmighthavebeenchangedwhenyouexamineasubjectsystem.LearningtointerpretLinuxconfigurationfilesisallpartofthe"forensicexperience".

BarryJ.Grundy 10


SLACKWAREandUsingthisGuide

Becauseofdifferencesbetweendistributions,theLinuxflavorofyourchoicecancausedifferentresultsincommands'outputanddifferentbehavioroverall.Additionally,somesectionsofthisdocumentdescribingconfigurationfilesorstartupscripts,forexample,mightappearvastlydifferentdependingonthedistroyouselect.

IfyouareselectingaLinuxdistributionforthesolepurposeoflearningthroughfollowingalongwiththisdocument,thenIwouldsuggestSlackware.Slackwareisstableanddoesnotattempttoenrichtheuser'sexperiencewithcuttingedgefilesystemhacksorautomaticconfigurationsthatmighthamperforensicwork.DetailedsectionsofthisguideontheinnerworkingsofLinuxwillbewrittentowardabasicSlackwareinstallation(currentlyinversion12.1).

Previousversionsofthisdocumentattemptedtobefarmoredistroindependent.Theexamplesanddiscussionsofconfigurationfileswerefocusedonthemorepopulardistributionformats.Intheinterveningyears,therehasbeenaveritableexplosionofdifferentflavorsofLinux.Thisguidehasbeenlinkedonanumberofwebsites,andhasbeenusedinavarietyoftrainingforums.Asaresultofthesechanges,IhavefoundmyselfreceivingnumerousemailsaskingquestionslikeTheoutputIgetdoesnotmatchwhat'sinyourguide.I'musing'FuzzyKittenLinux2.0'withkernelversion2.6.16fk145.2...Whatcouldbewrong?Myreplyhasbecomestandardtosuchqueries:I'mnotfamiliarwiththatversionofLinux,andI'mnotsurewhatchangeshavebeenmadetothatkernel.ProvidinganswerstoquestionsontheexercisesthatfollowrequiresthatIknowalittleabouttheenvironmentbeingused.Tothatend,I'vedecidedtopointpeopletowardsastandard,stableversionofLinuxthatincludesfewsurprises.

Bydefault,Slackware'scurrentinstallationroutineleavesinitialdiskpartitioninguptotheuser.Therearenodefaultschemesthatresultinsurprisingvolumegroupsorothercomplexdiskmanagementtechniques.Theresultingfilesystemtable(alsoknownasfstab)isstandardanddoesnotrequireeditingtoprovideforaforensicallysoundenvironment,unlikesomeotherpopulardistributions.

ThemostrecentversionofSlackware(12.x)nowusesthe2.6serieskernelbydefault.Inmanycircumstances,yourhardwarewillrequireyouthatusea2.6kernel(certainSATAcontrollers,etc.).Inrecognitionofthis,thecurrentversionofthisdocumentnowassumesthattheuserhasinstalleda2.6kernelversionofLinux.ThisbringstheLinuxLEOPractitioner'sGuideinlinewiththemajorityofforensicpractitionerscurrentlyusingLinux,including

BarryJ.Grundy 11


myself.Previousversionsofthisdocumentsuggesteda2.4(kernelversion)install.

SlackwareLinuxisstable,consistent,andsimple.Asalways,LinuxisLinux.Anydistributioncanbechangedtofunctionlikeanyother(intheory).However,myphilosophyhasalwaysbeentostartwithanoptimalsystem,ratherthanattempttorollbackasystemheavilymodifiedandoptimizedforthedesktopratherthanaforensicworkstation.

Ifyouarecomfortablewithanotherdistribution,thenbyallmeans,continuetouseandlearnit.Justbeawarethattheremaybecustomizationsandmodificationsmadetothestandardkernelandfilesystemsetupsthatmightnotbeidealforforensicuse.Thesecanalwaysberemedied,butIprefertostartasclosetooptimalaspossible.

InstallationMethods DownloadtheneededISO(CDimage)files,burnthemtoaCDandbootthe

media.ThisisthemostcommonmethodofinstallingLinux.Mostdistroscanbedownloadedforfreeviahttp,ftp,ortorrent.Slackwareisavailableathttp://www.slackware.com.Havealookathttp://linuxlookup.com/linux_isoorhttp://distrowatch.com/forinformationondownloadingandinstallingotherLinuxflavors.

UseabootableLinuxdistribution(coveredlater).Forexample,theSMARTorHelixLinuxbootableCDscaneasilybeusedasexperimentalplatforms.Seehttp://www.asrdata2.comorhttp://www.efense.com/helixformoreinformation.

Duringastandardinstallation,muchoftheworkisdoneforyou,andrelativelysafedefaultsareprovided.Asmentionedearlier,hardwaredetectionhasgonethroughsomegreatimprovementsinrecentyears.Istronglybelievethatmany(ifnotmost)Linuxdistrosarefareasierandfastertoinstallthanothermainstreamoperatingsystems.TypicalLinuxinstallationiswelldocumentedonline(checkthehowtosattheLinuxDocumentationProject:http://www.tldp.org/).Therearenumerousbooksavailableonthesubject,andmostofthesearesuppliedwithaLinuxdistributionreadyforinstall.

FamiliarizeyourselfwithLinuxdiskandpartitionnamingconventions(coveredinChapterIIofthisdocument)andyoushouldbereadytostart.

SlackwareInstallationNotes

Aspreviouslymentioned,itissuggestedthatyoustartwithSlackwareifthisisyourfirstforayintoLinuxandforensicsANDyouprimaryinterestis

BarryJ.Grundy 12


forensics.IfyoudodecidetogiveSlackwareashot,herearesomesimpleguidelines.ThedocumentationprovidedonSlackware'ssiteiscompleteandeasytofollow.Readtherefirst...

DecideonstandaloneLinuxordualboot. InstallWindowsfirstinadualbootsystem.IfyouhaveVista,becareful

thereareissuesyoushouldbeawareof.ResearchdualbootingwithVistabeforeproceeding.

DeterminehowyouwanttheLinuxsystemtobepartitioned. DoNOTcreateanyextrapartitionswithWindowsfdisk.Justleavethe

spaceunallocated.SlackwarewillrequireyoutoutilizeLinuxfdiskoranotherpartitioningtoolatthestartoftheinstallprocess.

READthroughtheinstallationdocumentationbeforeyoustarttheprocess.Don'tbeinahurry.IfyouwanttolearnLinux,youhavetobewillingtoread.ForSlackware,havealookthroughtheinstallationchaptersoftheSlackbooklocatedathttp://www.slackbook.org.Forabasic(butdetailed)understandingofhowLinuxworksandhowtouseit,theSlackbookshouldbeyourfirststop.

1)BoottheLinuxmedia.Slackwarerequiresonlythefirsttwoinstallationdisks(orthesingleDVD).

Readeachscreencarefully. Acceptingmostdefaultsworks. Yourhardwarewillbedetectedandconfiguredundermost(ifnotall)

circumstances.Onlinesupportisextensiveifyouhaveproblems. Keepinmindthatifapieceofhardwarecausesproblemsduringan

install,orisnotdetectedduringinstallation,thisdoesnotmeanthatitwillnotwork.Installtheoperatingsystemandspendsometimetroubleshooting.WhenlearningLinux,Googleisveryoftenyourbestfriend(tryhttp://www.google.com/linux).

TheSlackwareinstallCDforthecurrentversion(12.1)willbootbydefaultusingakernelcalledhugesmp.s.ItincludessupportformosthardwarebydefaultandsupportsmultipleCPUs.Ifitdoesnotwork,thentrythesingleCPUi486kernelhuge.s.HittheF2keyattheinitialboot:promptformoreinfo.

Oncethesystemisbooted,youarepresentedwiththeslackwarelogin:prompt.READTHEENTIRESCREENasinstructed.Loginasroot,andcontinuewithyourinstallroutine.

ThemaininstallroutineforSlackwareisstartedwiththecommandsetup.Youwillneedtoensurethatyouhaveyourdiskproperlypartitionedbeforeyouenterthesetupprogram.

Takethetimetoreadeachscreencompletelyasitcomesup.

BarryJ.Grundy 13


2)PartitionandformatforLinux Ataminimumyouwillneedtwopartitions.Thisstepisnormallypartof

theinstallationprocess,oriscoveredinthedistribution'sdocumentation.

Root(/)astypeLinuxNative. SwapastypeLinuxSwap(use2xyoursystemmemoryasa

startingpointforswapsize).

Youwillhearalotaboutusingmultiplepartitionsfordifferentdirectories.Dontletthatconfuseyou.ThereareargumentsbothforandagainstusingmultiplepartitionsforaLinuxfilesystem.Ifyouarejuststartingout,useonelargeroot(/)partition,andoneswappartitionasdescribedabove.

YouwillpartitionyourSlackwareLinuxsystemusingfdiskorcfdisk. TheSlackbookhasadetailedsectiononusingfdisktoaccomplishthis.(http://www.slackbook.org/html/book.html#INSTALLATIONPARTITIONING).Infact,IwouldreadtheentireinstallationsectionoftheSlackbook.Itwillmaketheprocessmucheasierforyou.

Whenaskedtoformattherootpartition,Iwouldsuggestselectingtheext3filesystem(NowdefaultinSlackware12.1).

3)Packageinstallation(system) Whenaskedwhichpackagestoselectforinstallation,itisusuallysafefor

abeginnertoselecteverythingorfull.Thisallowsyoutotryallthepackages,alongwithmultipleXWindowdesktopenvironments.Thiscantakeasmuchas5to6GBonsomeofthenewerdistributions(5GBonSlackware),howeveritincludesallthesoftwareyouarelikelytoneedforalongtime(includingmanyofficetypeapplications,Internet,email,etc.).Thisisnotreallyoptimalforaforensicworkstation,butforalearningboxitwillgiveyouthemostexposuretoavailablesoftwareforexperimentation.

4)InstallationConfiguration Sound

Usuallyautomatic.Ifnot,searchtheWeb.Theanswerisoutthere.Ifitdoesnotworkoutofthebox(asitshouldwithmosthardwareinSlackware),thentrythefollowing.

TherearemanycurrentdistributionsusingtheAdvancedLinuxSoundArchitecture(ALSA),includingSlackware.ConfiguringsoundonLinuxusingALSAcanbequiteeasy.Oncebootedintoyournewsystem,tryrunningthecommandalsaconftoallowthesystemtoattemptautomaticconfiguration.Ifthatappearstowork(noobviouserrormessages),runalsamixertoadjustspeakervolume.Theseprogramsarerunfromacommandprompt.Thealsaconfprogramisrunastherootuser,whilealsamixercanberunasaregularuser.

BarryJ.Grundy 14


Xorg(XWindowsystem) Knowyourhardware(videocard,etc.). IfyouchoosetoconfigureXduringtheinstallationroutine,do

notclickyesiftheinstallationroutineasksifyouwantXtostartautomaticallyeverytimeyousystemboots.Thiscanmakeproblemsolvingdifficultandresultsinlesscontroloverthesystem.YoucanalwaysstarttheGUIwithstartxfromthecommandline.

Bydefault,XorgwilluseastandardVESAdrivertorunyourXWindowsystem.YoucanattempttogetamoreoptimumconfigurationaftertheinstallationbyrunningXconfigure,whichwillwriteanewconfigurationfilewithsettingstailoredmoreforyourhardware.Thiswillcreateafilecalledxorg.conf.newwhichcanthenbecopiedto/etc/X11/xorg.conf.

IwouldsuggestyouuseXFCEasyoudesktopmanager.Feelfreetouseothers,butXFCEwillprovideaclean,unclutteredinterface.

YouselectXFCEasyourdesktopduringtheSlackwareinstallationbychoosingxinitrc.xfceduringtheXsetupportion.Youcantryotherwindowmanagersbyrunningthecommandxwmconfigandselectingadifferentone.

BootMethod(theBootloaderselectstheOStoboot) LILOorGRUB.

LILOisthedefaultforSlackware.SomepeoplefindGRUBmoreflexibleandsecure.GRUBcanbeinstalledlater,ifyoulike.

UsuallyselecttheoptiontoinstallLILOtothemasterbootrecord(MBR).Thepresenceofotherbootloaders(asprovidedbyotheroperatingsystems)determineswheretoinstallLILOorGRUB.

Thebootloadercontainsthecodethatpointstothekerneltobebooted.Checkhttp:// www.tldp.org formultiOSandmultibootHowTodocuments.

Createausernameforyourselfavoidusingrootexclusively. Formoreinformation,checkthefileCHANGES_AND_HINTS.TXTon

theinstallCD,orat:http://slackware.osuosl.org/slackware12.1/CHANGES_AND_HINTS.TXTThisfileisloadedwithusefulhintsandchangesofinterestfromonereleasetoanother.

Linuxisamultiusersystem.Itisdesignedforuseonnetworks(remember,itisbasedonUnix).Therootuseristhesystemadministrator,andiscreatedbydefaultduringinstallation.ExclusiveuseoftherootloginisDANGEROUS.Linuxassumesthatrootknowswhatheorsheisdoingandallowsroottodoanythingheorshewants,includingdestroythesystem.Createanewuser.Dontloginasrootunlessyoumust.Havingsaidthis,muchoftheworkdoneforforensicanalysismustbedoneasroottoallowaccesstorawdevicesandsystemcommands.

BarryJ.Grundy 15


DesktopEnvironment

Whentalkingaboutforensicsuitability,yourchoiceofdesktopsystemcanmakeadifference.Firstofall,thetermdesktopenvironmentandwindowmanagerareNOTinterchangeable.Let'sbrieflyclarifythecomponentsofacommonLinuxGUI.

XWindowThisisthebasicGUIenvironmentusedinLinux.CommonlyreferredtoasX,itistheapplicationthatprovidestheGUIframework,andisNOTpartoftheOS.Xisaclient/serverprogramwithcompletenetworktransparency.

WindowManagerThisisaprogramthatcontrolstheappearanceofwindowsintheXWindowsystem,alongwithcertainGUIbehaviors(windowfocus,etc.).ExamplesareKwin,Metacity,XFWM,Enlightenment,etc.

DesktopEnvironmentAcombinationofWindowManagerandaconsistentinterfacethatprovidestheoveralldesktopexperience.ExamplesareXFCE,GNOME,KDE,etc. ThedefaultWindowManagerforKDEisKwin. ThedefaultWindowManagerforGNOMEisMetacity ThedefaultWindowManagerforXFCEisXFWM.

Thesedefaultscanbechangedtoallowforpreferencesinspeedandresourcemanagementoverthedesireforeyecandy,etc.YoucanalsoelecttorunaWindowManagerwithoutadesktopenvironment.Forexample,theEnlightenmentWindowManagerisknownforit'seyecandyandcanberunstandalone,withorwithoutKDEorGNOME,etc.

SlackwarenolongercomeswithGNOMEasanoption,thoughitcanbeinstalledlikeanyotherapplication.DuringthebaseSlackwareinstallation,youwillbegivenachoiceofKDE,XFCE,andsomeothers.IwouldliketosuggestXFCE.Itprovidesacleanerinterfaceforabeginnertolearnon.Itisleanerandthereforelessresourceintensive.YoustillhaveaccesstomanyKDEutilities,ifyouelectedtoinstallKDEduringpackageselection.Youcaninstallmorethanonedesktopandswitchbetweenthem,ifyoulike.Theeasiestwaytoswitchiswiththexwmconfigcommand.

TheLinuxKernel:VersionsandIssues

TheLinuxkernelisthebrainofthesystem.ItisthebasecomponentoftheOperatingSystemthatallowsthehardwaretointeractwithandmanageothersoftwareandsystemresources.

BarryJ.Grundy 16


InDecemberof2003,theLinux2.6kernelwasreleased.ThiswasanothermilestoneintheLinuxsaga,andallofthenewermainstreamdistributionversionsarebasedonthe2.6kernel.Manyofthechangesin2.6overtheprevious2.4aregearedtowardenterpriseuseandscalability.ThenewerkernelreleasealsohasanumberofinfrastructurechangesthathaveasignificantimpactonLinuxasaforensicplatform.Forexample,thereisenhancedsupportforUSBandamyriadofotherexternaldevices.Readuponudevformoreinformationoneonesuchchange1.Wewillverybrieflydiscussudevlaterinthissection.

Aswithallforensictools,weneedtohaveaclearviewofhowanykernelversionwillinteractwithourforensicplatformsandsubjecthardware.AlmostallcurrentdistributionsofLinuxalreadycomewitha2.6kernelinstalledbydefault.Slackware12hasalsomovedtothe2.6kernelseries(2.6.24.5in12.1).

Previousversionsofthisdocumentsuggestedusinganolder(butupdated)versionofthekernel(2.4series)toaccountforinfrastructurechangesinnewerkernelversionsthatcouldadverselyaffectLinuxemployedasaforensicplatform.ThisversionoftheLinuxForensicPractitioner'sGuidehasdepartedfromthatphilosophyandwenowuseadistributionwitha2.6kernelbydefault.Still,itisbothinterestingandimportanttounderstandtheimplicationsofkernelchoiceonaforensicplatform.Sowhilewehavemovedontothe2.6kernel,wewillstillcoverthedifferencesandcaveatstousingamodernkernel.

Priortothe2.6serieskernel,thedevelopersmaintained2separatekernelbranches.Onewasforthestablekernel,andtheotherwasfortesting.Oncereleased,thestablekernelwasupdatedwithbugfixesandwasconsideredasolidproductionkernel.Theotherkernelbranchwasthetestingbranchandwasusedtoincorporateinnovationsandupdatestothekernelinfrastructure.Thestablekernelhadanevennumberedsecondarypointrelease,andthetestingbranchhadanoddnumberedsecondarypointrelease.

Stablebranch TestingBranch

2.0 2.1

2.2 2.3

2.4 2.5

2.6 ??

1http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html

BarryJ.Grundy 17


Thedevelopmentofthe2.5testkernelseriesresultedinthestable2.6

series.Manyoftheimprovements,oncedeemedstable,werebackportedtothe2.4kernel.Asaresult,the2.4seriesisstillconsideredmodernandsupportsmuchofthenewerhardwarecurrentlyinuse.

So,whatweretheinitialreservationsaboutadhocadoptionofthe2.6kernelinforensics,eventhoughit'sconsideredstable?Youwillnoticefromthechartabovethatthereisnocurrent2.7testingbranch.Thecurrentkerneldevelopmentschemedoesnotutilizeatestingbranch.Thismeansthatnewinnovationsandchangestokernelinfrastructuregetwrappeddirectlyinto2.6kernelupdates.Asaresult,criticalupgradeswithinthe2.6kernelserieshaveapotentialtobreakexistingapplications.ThereweremanyintheLinuxcommunity(evenoutsideofcomputerforensics)thatsawthe2.6kernelasafinesystemfordesktopcomputers,butdidnotconsiderusingitinaproductionenvironment.Again,thisdoesNOTmeanthatitwasnotsuitableforforensics,justthatitrequiredmoretestingandcarefulconfigurationwiththeadditionofmorecuttingedgefeatures.

OfequalimportanceinselectingaLinuxkernelforforensicusewastheinterfacethatthekernelprovidesbetweenthehardwareandtheenduser.The2.6kernelincludesanumberenhancementsthataredesignedspecificallytoimprovetheoverallLinuxexperienceonthedesktop.Theseenhancements,ifnotproperlyconfiguredandcontrolled,canresultinalossofusercontroloverdevices,oneoftheprimaryreasonsforusingLinuxforforensicsinthefirstplace.Suchobstaclescanbeovercomethroughproperconfiguration,butrigoroustesting,aswithallforensicapplications,isrequired.Knowingwhatservicestodisable,andwhataffectthiswillhaveontheentiresystemisimperative.Whileacompletediscussionoftheserequirementsislargelybeyondthescopeofthisguide,wewillcoverbasicconfigurationinlatersections.

Sowehavefinallyarrivedatapointwherethe2.6kernelismainstreamandwewillbeusingitinourforensicenvironment.Thekeytosafeuse(thisgoesforANYoperatingsystem)isknowledgeofyourenvironmentandpropertesting.Pleasekeepthatinmind.YouMUSTunderstandhowyourhardwareandsoftwareinteractwithanygivenoperatingsystembeforeusingitinaproductionforensicanalysis.

OneofthegreateststrengthsLinuxprovidesistheconceptoftotalcontrol.Thisrequiresthoroughtestingandunderstanding.Don'tlosesightofthisinpursuitofaneasydesktopexperience.

BarryJ.Grundy 18


ConfiguringSlackware12:2.6kernelconsiderations

So,we'vediscussedthedifferencesbetweenthe2.4andthe2.6kernel.Thereareinfrastructurechangesandenhancementstothe2.6kernelthatcanbemoreofachallengetoconfigureforaLinuxbeginnerlookingforastableandsoundforensicplatform.

Inthissection,wewillfocusontheminimumconfigurationrequirementsforcreatingasoundforensicenvironmentundercurrentLinuxdistributionsusingthe2.6kernel.Wewillbrieflydiscussdevicenodemanagement(udev),hardwareabstraction(HAL)andmessagebus(dbus)daemons,andthedesktopenvironment.Insimplifiedterms,itisthesecomponentsthatcreatethemostobviousproblemsforforensicsuitabilityinthemostcurrentLinuxdistributions.Thegoodnewsisthat,beingLinux,theuserhasverygranularcontrolovertheseservices.ThecontrolthatwelovehavingwithLinuxisstillthere,wejustneedtograbsomeofitbackfromthekernel(orthedesktop,asthecasemaybe).

udev

Startingwithkernelversion2.6.13,Linuxdevicemanagementwashandedovertoanewsystemcalledudev.Traditionally,thedevicenodes(filesrepresentingthedevices,locatedinthe/devdirectory)usedinpreviouskernelversionswerestatic,thatistheyexistedatalltimes,whetherinuseornot2.Forexample,onasystemwithstaticdevicenodeswemayhaveaprimarySATAharddrivethatisdetectedbythekernelas/dev/sda.SincewehavenoIDEdrives,nodriveisdetectedas/dev/hda.Butwhenwelookinthe/devdirectoryweseestaticnodesforallthepossiblediskandpartitionnamesfor/dev/hda.Thedevicenodesexistwhetherornotthedeviceisdetected.

Inthenewsystem,udevcreatesdevicenodesonthefly.Thenodesarecreatedasthekerneldetectsthedeviceandthe/devdirectoryispopulatedinrealtime.Inadditiontobeingmoreefficient,udevalsorunsinuserspace.Oneofthebenefitsofudevisthatitprovidesforpersistentnaming.Inotherwords,youcanwriteasetofrules(Foraniceexplanationofudevrules,see:http://reactivated.net/writing_udev_rules.html)thatwillallowudevtorecognizeadevicebasedonindividualcharacteristics(serialnumber,manufacturer,model,etc.).Therulecanbewrittentocreateauserdefinedlinkinthe/devdirectory,sothatforexample,mythumbdrivecanalwaysbeaccessedthroughanarbitrarydevicenodenameofmychoice,like/dev/mythumb,ifIsochoose.ThismeansthatIdon'thavetosearchthroughUSBdevicenodestofindthecorrectdevicenameifIhavemorethanoneexternalstoragedeviceconnected.

2WewillnotcoverDevfs,adevicemanagementsystemthatuseddynamicnodespriortoudev.

BarryJ.Grundy 19


Udevisrequiredforcurrent2.6kernels.OnSlackware,itrunsasadaemonfromthestartupscript/etc/rc.d/rc.udev.Wewilldiscussthesestartupscriptsinmoredetaillaterinthisdocument.Wewillnotdoanyspecificconfigurationforudevonourforensiccomputersatthistime.Wediscussitheresimplybecauseitisamajorchangeindevicehandlinginthe2.6kernel.UdevdoesNOTinvolveitselfinautomountingorotherwiseinteractingwithapplications.Itsimplyprovidesahardwaretokernelinterface.

HardwareAbstractionLayer

HALreferstotheHardwareAbstractionLayer.TheHALdaemonmaintainsinformationaboutdevicesconnectedtothesystem.Ineffect,HALactsasamiddlemanfordevicedetection,inthatitorganizesdeviceinformationinauniformformataccessibletoapplicationsthatwanttoeitheraccessorreacttoachangeisthestatusofadevice(pluggedinorunplugged,etc.).TheinformationthatHALmakesavailableisobjectspecificandprovidesfarmoredetailthannormalkerneldetectionallows.Asaresult,applicationsthatreceiveinformationaboutadevicefromHALcanreactincontext.HALandudevarenotconnected,andoperateindependentlyofoneanother.WhereHALdescribesadeviceindetail,forusebyapplications,udevsimplymanagesdevicenodes.InSlackware12,HALisrunasadaemonfrom/etc/rc.d/rc.hald.SeethesectiontitledServiceStartupScriptsinChapterIIIformoreinformationonrcscriptsandhowtostoptheservicefromautostarting.

dbus

Thesystemmessagebus,ordbus,providesamechanismforapplicationstoexchangeinformation.Forourpurposeshere,wewillsimplystatethatdbusisthecommunicationchannelusedbyHALtosenditsinformationtoapplications.InSlackware12,dbusisrunasadaemonfrom/etc/rc.d/rc.messagebus.

Withsomeveryfineconfiguration,it'spossibletohaveHALanddbusrunningandstillmaintainasoundforensicenvironment.Forourpurposes,wewillturnHALanddbusoff.Wedothisbecauseexhaustiveconfigurationisoutsidethescopeofthisdocument.WewillmaketheseadjustmentinthesectionFilePermissionsonpage41.Ithasbeennotedthatturningdbusoffisnotstrictlyrequired(atthispoint).Isuggestdoingsoforthesakeofsafety.Iurgeyoutotestyourownconfigurations.

BarryJ.Grundy 20


2.6KernelandDesktops

OneoftheconsiderationswhendiscussingDesktopEnvironmentsisitsintegrationwiththeHALanddbusservicestoallowfordesktopautomountingofremovablemedia.KDEandGNOMEareheavilyintegratedwithHAL/dbusandusersneedtobeawareofhowtocontrolthisundesiredbehaviorinaforensicenvironment.EquallyimportantishowtodealwithinstabilitycausedwhenexpectedmessagesfromtheOSarenotreceivedbyapollingapplication.

XFCEisalighterweight(read:lighteronresources)desktop.AndalthoughXFCEisalsocapableofintegrationwithHALanddbus,itallowsforeasiercontrolofremovablemediaonthedesktop(searchforthunarvolman).WhileKDEandGNOMEalsoallowforcontrolofautomountingthroughconfigurationdialogs,theyarefarmoretightlyintegratedandarguablymorecomplex.

RollingyourownTheCustomKernel

"Everyforensicexaminershouldcompilehisownkernel,justlikeeveryJedibuildshisownlightsaber."

TheCoryAltheide

AtsomepointduringyourLinuxeducation,youwillwanttolearnhowtorecompileyourkernel.Why?Well...theabovequoteputsitquitenicely.Thekernelthatcomeswithyourdistroofchoiceisoftenheavilypatched,andisconfiguredtoworkwiththewidestvarietyofhardwarepossible.Thisgivesthestockdistributionabetterchanceofworkingonamultitudeofsystemsrightoutofthebox.NotethattheSlackwarekernel'sarenicelygenericandquitesuitableoutoftheboxforforensicuse.Also,bewarnedthatusercustomizedkernelsmakefordifficulttroubleshootingandyouwilloftenbeaskedtoreproduceproblemswithastockkernelbeforeyoucangetspecificsupport.Thisissimplyamatterofdefiningacommondenominatorwhenaddressingproblems.

Theactualstepsforcompilingacustomkernelareoutsidethescopeofthisdocument,andhavebeencoveredelsewhere3.Theconcepts,howeverareimportantforanoverallunderstandingofhowLinuxworks.

3AquickInternetsearchforlinuxcustomkernelcompileorthelikewillprovideagoodstart.Throwinthewordforensicforsomemorespecificpointers.

BarryJ.Grundy 21


Asmentionedpreviously,thekernelprovidesthemostbasicinterfacebetweenhardwareandthesystemsoftwareandresourcemanagement.Thisincludesdriversandothercomponentsthatareactuallysmallseparatepiecesofcodethatcaneitherbecompiledasmodulesorcompileddirectlyinthekernelimage.

Therearetwobasicapproachestocompilingakernel.Statickernelsarebuiltsothatallofthedriversanddesiredfeaturesarecompiledintothesinglekernelimage.Modularkernelsarebuiltsuchthatdriversandotherfeaturescanbecompiledasseparateobjectfilesthatcanbeloadedandunloadedontheflyintoarunningsystem.MoreonhandlingkernelmodulescanbefoundinSectionIIofthisdocument,underUsingModules.

Inshort,youmightfindyourselfinneedofakernelrecompileasaresultofthefactthatyourequirespecificdriversorsupportthatisnotcurrentlyincludedinyourdistribution'sdefaultkernelconfiguration.Or,afterbecomingcomfortablewithLinux,youdecideyouwanttotryyourhandatactuallyconfiguringyourcustomkernelsimplybecauseyouwanttomakeitmoreefficientorbecauseyouwanttoexpandthesupportforhardware,filesystems,orpartitiontabletypesthatyoumightcomeacrossduringaninvestigation.

Inanyevent,ForensicswithLinuxisallaboutcontrol.Customizingyourkernelconfiguration,whileanadvancedskill,isthemostbasicformofcontrolyouhaveinLinux(shortofrewritingthesourcecodeitself).Atsomepoint,thisissomethingyouwillwanttoeducateyourselffurtheron.

BarryJ.Grundy 22


II.LinuxDisks,PartitionsandtheFileSystem

DisksLinuxtreatsitsdevicesasfiles.Thespecialdirectorywherethese"files"

aremaintainedis"/dev".

DEVICE: FILENAME: Floppy(a:) Harddisk(master,IDE0) Harddisk(slave,IDE0) Harddisk(master,IDE1) 1stSCSIharddisk(SATA,USB) 2ndSCSIharddisk

/dev/fd0/dev/hda/dev/hdb/dev/hdc,etc./dev/sda/dev/sdb,etc.

PartitionsDEVICE: FILENAME:

1stHarddisk(master,IDE0) 1stPrimarypartition 2ndPrimarypartition 1stLogicaldrive(onextdpart) 2ndLogicaldrive

2ndHarddisk(slave,IDE0) 1stPrimarypartition

CDROM(ATAPI)or3rddisk(mstr,IDE1)1stSCSIdisk(orSATA,USB,etc.)

1stPrimarypartition

/dev/hda/dev/hda1/dev/hda2,etc./dev/hda5/dev/hda6,etc./dev/hdb/dev/hdb1,etc./dev/hdc/dev/sda/dev/sda1,etc.

Thepatterndescribedaboveisfairlyeasytofollow.IfyouareusingastandardIDEdisk(orstandardATAPICDROMdrive),itwillbereferredtoashdxwherethe"x"isreplacedwithan"a"ifthediskisconnectedtotheprimaryIDEcontrollerasmasteranda"b"ifthediskisconnectedtotheprimaryIDEcontrollerasaslavedevice.Inthesameway,theIDEdisks(orCDROM)connectedtothesecondaryIDEcontrollerasmasterandslavewillbereferredtoashdcandhddrespectively.

SCSIandSerialATA(SATA)diskswillbereferredtoassdx.InthecaseofSCSIdisks,theyareassignedlettersintheorderinwhichtheyaredetected.ThisincludesUSBandFirewire.Forexample,aprimarySATAdiskwillbeassignedsda.IfyouattachaUSBdiskorathumbdriveitwillnormallybedetectedassdb,andsoon.4

4Youmayrunacrossolderdistributionsthatsupportdevfswhichusesadifferentnamingscheme.Dontletthisconfuseyou.Thepatterndescribedaboveisstillsupportedthroughlinksforcompatibility.Seehttp://www.atnf.csiro.au/people/rgooch/linux/docs/devfs.htmlformoreinformation.

BarryJ.Grundy 23


Thefdiskprogramcanbeusedtocreateorlistpartitionsonasupporteddevice.Thisisanexampleoftheoutputoffdiskonadualbootsystemusingthelistoption(l[dashel]):

fdiskl/dev/hdxgivesyoualistofallthepartitionsavailableonaparticulardrive,inthiscaseandIDEdrive).EachpartitionisidentifiedbyitsLinuxname.The"bootflag"isindicated,andthebeginningandendingcylindersforeachpartitionisgiven.Thenumberofblocksperpartitionisdisplayed.Finally,thepartition"Id"andfilesystemtypearedisplayed.Toseealistofvalidtypes,runfdiskandattheprompttype"l"(theletterel).DonotconfuseLinuxfdiskwithDOSfdisk.Theyareverydifferent.TheLinuxversionoffdiskprovidesformuchgreatercontroloverpartitioning.

Rememberthatthepartitiontypeidentifiedinthelastcolumn,underSystemhasnothingtodowiththefilesystemfoundonthatpartition.Donotrelyonthepartitiontypetodeterminethefilesystem.Onmostnormalsystems,atypec(W95FAT32)partitiontypewillcontainaFAT32partition,butnotalways.Also,considerpartitionsoftype83(Linux).Type83partitionscannormallyholdEXT2,EXT3,ReiserFS,oranynumberofotherfilesystemtypes.Wewilldiscussfilesystemidentificationlaterinthisdocument.

BEFOREFILESYSTEMSONDEVICESCANBEUSED,THEYMUSTBEMOUNTED!Anyfilesystemsonpartitionsyoudefineduringinstallationwillbemountedautomaticallyeverytimeyouboot.WewillcoverthemountingoffilesystemsinthesectionthatdealswithLinuxcommands,afteryouhavesomenavigationexperience.

Keepinmind,thatevenwhatnotmounted,devicescanstillbewrittento.Simplynotmountingafilesystemdoesnotprotectitfrombeinginadvertentlychangedthroughyouractions.

BarryJ.Grundy

root@rock:~# fdisk -l /dev/hda

Disk /dev/hda: 60.0 GB, 60011642880 bytes255 heads, 63 sectors/track, 7296 cylindersUnits = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System/dev/hda1 * 1 654 5253223+ 7 HPFS/NTFS/dev/hda2 655 2478 14651280 7 HPFS/NTFS/dev/hda3 2479 7296 38700585 5 Extended/dev/hda5 2479 4303 14659281 83 Linux/dev/hda6 4304 4366 506016 82 Linux swap/dev/hda7 4367 7296 23535193+ c W95 FAT32 (LBA)

24


Mountingfilesystemsonsometypesofexternaldevices,whichwewillcometolaterinthisdocument,mayrequireustodelvealittledeeperintomodules

UsingmodulesLinuxDriversItsdifficulttodecidewhentointroducemodulestoanewuser.The

conceptcanbealittleconfusing,butoutoftheboxLinuxdistributionsrelyheavilyonmodulesfordeviceandfilesystemsupport.Forthisreason,wewillmakeanefforttogetfamiliarwiththeconceptearlyon.

Asdiscussedintheprevioussection,modulesarereallyjustdriversthatcanbeloadedandunloadedfromthekerneldynamically.Theyareobjectfiles(*.koforthe2.6kernel)thatcontaintherequireddrivercodeforthesupporteddeviceoroption.ModulescanbeusedtoprovidesupportforeverythingfromUSBcontrollersandnetworkinterfacestofilesystems.

Thevariousmodulesavailableonyoursystemarelocatedinthe/lib/modules//directory.Notethatthecurrentkernelversionrunningonyoursystemcanbefoundusingthecommandunamer.

Thereare,ingeneral,threewaysthatdrivercodeisloadedinLinux:

Drivercodeiscompileddirectlyintothekernel.Thecodeispartofthekernelimagethatisloadedwhenthecomputerboots.SupporteddevicesarerecognizedandconfiguredastheOSloads.

Modulesareloadedatboottimethroughtheactionsofudev,whichhandleshotplugevents.Afterthekernelisloaded,udeveventsaretriggeredandthepropermodulesareautomaticallyloaded.Wewillcoverthisinmoredetailinthechaptercoveringsystemstartup.Recallthatudevhandlesthedevicenodemanagement.

Modulesaremanuallyloadedbytheuser,asneeded.

Incaseswherethedrivercodeisnotautomaticallyloaded,modulescanbeinstalledandremovedfromthesystemontheflyusingthefollowingcommands(asroot):

modprobeanintelligentmoduleloaderrmmod toremovethemodulelsmod togetalistofcurrentlyinstalledmodules

Forexample,togetUSBsupportforaUSBthumbdriveonsomesystems,youmayneedtoloadacoupleofmodules.WiththeUSBdevicepluggedin,wecaninstalltheneededmodules(ehci_hcdformanyUSB2.0controllers,andusbstorageforthestorageinterface)with:

BarryJ.Grundy 25


modprobeehci_hcd(dependingonyourUSBcontroller)modprobeusbstorage

Notethatwhilethemoduleisnamedwitha.koextension,wedonotincludethatintheinsertioncommand.

Weonlyneedtoinstallthesedriversifthekerneldoesnothavethesupportcompiledin,orifthemoduleisnotloadedautomatically.NotethatonastockSlackware12.1system,thesupportforUSBiscompiledintothekernelandloadingmodulesisnotneeded.

Sohowwouldyouknowifyouneededtoloadmodules?Tocheckandseeifthemodulesarealreadyloaded,youcanusethelsmodcommandtolookforthedrivername.Usegreptoshowonlylineswithspecifictext.Wewillcovergrepinfarmoredetaillateron.

Inthiscase,thecommandreturnsnothing.Thismightindicatethatthedriverisnotloadedoritmightindicatedthatthedriverisnotamodule,butiscompileddirectlyintothekernel.Icancheckthisusingthedmesgcommandandgrepaswell.Thedmesgcommandreplaysthesystemstartupmessages

TheoutputoftheabovecommandsshowsusthatsupportfortheUSB2.0hostcontrollerisalreadyloaded(asshowninthedmesgoutput),butnotasamodule(asshowninthelsmodoutput).

Whilethissubjectcanbeabitdauntingatfirst,justkeepinmindthatanattacheddevicemayormaynotworkonagivensystemuntilthepropermoduleisinstalled.Knowinghowtocheckforexistingsupport,andhowtoinsertamoduleifneededisimportant.

BarryJ.Grundy 26

root@rock:~# lsmod | grep ehci_hcd root@rock:~#

root@rock:~# dmesg | grep ehci_hcd ehci_hcd 0000:00:1d.7: EHCI Host Controller ehci_hcd 0000:00:1d.7: new USB bus registered, assigned bus number 1 ehci_hcd 0000:00:1d.7: debug port 1 ehci_hcd 0000:00:1d.7: irq 20, io mem 0x80004000 ehci_hcd 0000:00:1d.7: USB 2.0 started, EHCI 1.00, driver 10 Dec 2004


DeviceRecognition

AnothercommonquestionariseswhenauserplugsadeviceinaLinuxboxandreceivesnofeedbackonhow(orevenif)thedevicewasrecognized.Oneeasymethodfordetermininghowandifaninserteddeviceisregisteredistousethepreviouslyintroduceddmesgcommand.

Forexample,ifIplugaUSBthumbdriveintoaLinuxcomputer,andthecomputerisrunningaHALenableddesktop,Imaywellseeaniconappearonthedesktopforthedisk.Imightevenseeafolderopenonthedesktopallowingmetoaccessthefilesautomatically.Obviously,onasystemweareusingasaforensicplatform,wemaywanttominimizethissortofbehavior(moreonthatlater...).

Sowhenthereisnovisiblefeedback,wheredowelooktoseewhatdevicenodewasassignedtoourdisk(/dev/sda,/dev/sdb,etc.)?Howdoweknowifitwasevendetected?Again,thisquestionisparticularlypertinenttotheforensicexaminer,sincewewilllikelyconfigureoursystemtobealittlelesshelpful.

Plugginginthethumbdriveandrunningthedmesgcommandprovidesmewiththefollowingoutput:

Theimportantinformationisinbold.Notethatthisparticularthumbdrive(aSanDiskU3)providestwoparts,thestoragevolumewithasinglepartition(/dev/sda1),andanemulatedCDROMdevicewhichwasdetectedas/dev/sr0.SCSICDROMdevicesarerecognizedassrxorscdx.

BarryJ.Grundy 27

root@rock:~# dmesg

scsi 2:0:0:0: Direct-Access SanDisk U3 Titanium 2.16 PQ: 0 ANSI: 2 sd 2:0:0:0: [sda] 1994385 512-byte hardware sectors (1021 MB) sd 2:0:0:0: [sda] Write Protect is off sd 2:0:0:0: [sda] Mode Sense: 03 00 00 00 sd 2:0:0:0: [sda] Assuming drive cache: write through sd 2:0:0:0: [sda] 1994385 512-byte hardware sectors (1021 MB) sd 2:0:0:0: [sda] Write Protect is off sda: sda1 sd 2:0:0:0: [sda] Attached SCSI removable disk scsi 2:0:0:1: CD-ROM SanDisk U3 Titanium 2.16 PQ: 0 ANSI: 2 sr0: scsi3-mmc drive: 8x/40x writer xa/form2 cdda tray sr 2:0:0:1: Attached scsi CD-ROM sr0 usb-storage: device scan complete


Notethatthedirectoryslash(/)isoppositewhatmostpeopleareusedtoinWindows(\).

Directorycontentscaninclude:

/bin Commoncommands. /boot Filesneededatboottime,includingthekernelimagespointed

tobyLILO(theLInuxLOader)orGRUB. /dev Filesthatrepresentdevicesonthesystem.Theseareactually

interfacefilestoallowthekerneltointeractwiththehardwareandthefilesystem.

/etc Administrativeconfigurationfilesandscripts. /homeDirectoriesforeachuseronthesystem.Eachuserdirectory

canbeextendedbytherespectiveuserandwillcontaintheirpersonalfilesaswellasuserspecificconfigurationfiles(forXpreferences,etc.).

/mnt Providestemporarymountpointsforexternal,remoteandremovablefilesystems.

/mediaProvidesastandardplaceforusersandapplicationstomountremovablemedia.PartofthenewFileSystemHierarchyStandard.

/root Therootuser'shomedirectory. /sbin Administrativecommandsandprocesscontroldaemons. /usr Containslocalsoftware,libraries,games,etc. /var Logsandothervariablefilewillbefoundhere.

Anotherimportantconceptwhenbrowsingthefilesystemisthatofrelativeversusexplicitpaths.Whileconfusingatfirst,practicewillmaketheideasecondnature.Justrememberthatwhenyouprovideapathnametoacommandorfile,includinga/infrontmeansanexplicitpath,andwilldefinethelocationstartingfromthetopleveldirectory(root).Beginningapathnamewithouta/indicatesthatyourpathstartsinthecurrentdirectoryandisreferredtoasarelativepath.Moreonthislater.

OneveryusefulresourceforthissubjectistheFileSystemHierarchyStandard(FHS),thepurposeofwhichistoprovideareferencefordevelopersandsystemadministratorsonfileanddirectoryplacement.Readmoreaboutitathttp://www.pathname.com/fhs/

BarryJ.Grundy 29


III.TheLinuxBootSequence(Simplified)

BootingthekernelThefirststepinthe(simplified)bootupsequenceforLinuxisloading

thekernel.Thekernelimageisusuallycontainedinthe/bootdirectory.Itcangobyseveraldifferentnames

bzImage vmlinuz

Sometimesthekernelimagewillspecifythekernelversioncontainedintheimage,i.e.bzImage2.6.24.Veryoftenthereisasoftlink(likeashortcut)tothemostcurrentkernelimageinthe/bootdirectory.Itisnormallythissoftlinkthatisreferencedbythebootloader,LILO(orGRUB).

Thebootloaderspecifiestherootdevice(bootdrive),alongwiththekernelversiontobebooted.ForLILO,thisisallcontrolledbythefile/etc/lilo.conf.Eachimage=sectionrepresentsachoiceinthebootscreen.

Thisisanexampleofalilo.conffile5:

InthecaseofGRUB,eachsectionbeginningwithtitleisachoiceforbootingandcanincludeLinuxaswellasotheroperatingsystems,includingWindows.Noteagainthereferencetothekernellocation,andtherootdevice(wheretherootfilesystemislocated).GRUBstartsitscountingfrom0,sowhereyouseehd0,0itisreferringtothefirstIDEdisk,followedbythefirstpartition.SeetheinfoormanpageforGRUB.

5Theactual/etc/lilo.conffileonyoursystemwillbemuchmoreclutteredwithcomments(linesstartingwitha#.Commentshavebeenremovedfromthisexampleforreadability.

BarryJ.Grundy

root@rock:~# cat /etc/lilo.confboot=/dev/hdamap=/boot/mapinstall=/boot/boot.bprompt timeout=50image=/boot/bzImage < - Defines the Linux kernel to boot label=linux < - Menu choice in LILO root=/dev/hda3 < - Where the root file system is found

read-onlyother=/dev/hda1 < - Defines alternate boot option label=WinXP < - Menu choice in LILO table=/dev/hda

30


InthefollowingGRUBexample,therewillbetwodifferentLinuxkernelchoicesofferedinthebootmenu.Theyallusethesamerootfilesystem,butdifferinthekernelimageloadedfromthe/bootpartition.

Oncethesystemhasfinishedbooting,youcanseethekernelmessagesthatflypastthescreenduringthebootingprocesswiththecommanddmesg.Wediscussedthiscommandalittlewhenwetalkedaboutdevicerecognitionearlier.Aspreviouslymentioned,thiscommandcanbeusedtofindhardwareproblems,ortoseehowaremovable(orsuspect)drivewasdetected,includingitsgeometry,etc.Theoutputcanbepipedthroughapagingviewertomakeiteasiertosee(inthiscase,dmesgispipedthroughlessonmySlackwaresystem.):

BarryJ.Grundy

root@rock:~# cat /boot/grub/grub.confboot=/dev/hdadefault=0timeout=10splashimage=(hd0,0)/boot/grub/splash.xpm.gztitle Linux (2.6.24)


InitializationThenextstepinthebootsequencestartswiththeprogram/sbin/init.

Thisprogramreallyhastwofunctions:

initializetherunlevelandstartupscripts terminalprocesscontrol(respawnterminals)

Inshort,theinitprogramiscontrolledbythefile/etc/inittab.Itisthisfilethatcontrolsyourrunlevelandtheglobalstartupscriptsforthesystem.

RunlevelTherunlevelissimplyadescriptionofthesystemstate.Forour

purposes,itiseasiesttosaythat(forSlackware,atleastothersystems,likeFedoraCorewilldiffer):

runlevel0=shutdown runlevel1=singleusermode runlevel3=fullmultiusermode/textlogin runlevel4=fullmultiuser/X11/graphicallogin6

runlevel6=reboot

Inthefile/etc/inittabyouwillseealinesimilarto:

id:3:initdefault:

Itisherethatthedefaultrunlevelforthesystemisset.Ifyouwantatextlogin(whichIwouldstronglysuggest),settheabovevalueto3.ThisisthedefaultforSlackware.Withthisdefaultrunlevel,youusestartxtogettotheXWindowGUIsystem.Ifyouwantagraphicallogin,youwouldedittheabovelinetocontaina4.

6Thisislargelydistributiondependent.InFedoraCore,runlevel5providesaGUIlogin.InSlackware,it'srunlevel4.

BarryJ.Grundy

root@rock:~#less /etc/inittab## /etc/inittab: This file describes how the INIT process should set up# the system in a certain run-level.## Default runlevel.id:3:initdefault:

# System initialization, (runs when system boots).si:S:sysinit:/etc/rc.d/rc.S

32


GlobalStartupScripts

Afterthedefaultrunlevelhasbeenset,init(via/etc/inittab)thenrunsthefollowingscripts:

/etc/rc.d/rc.Shandlessysteminitialization,filesystemmountandcheck,PNPdevices,etc.

/etc/rc.d/rc.XwhereXistherunlevelpassedasanargumentbyinit.Inthecaseofmulituser(nonGUI)logins(runlevel2or3),thisisrc.M.Thisscriptthencallsotherstartupscripts(variousservices,etc.)bycheckingtoseeiftheyareexecutable.

/etc/rc.d/rc.localcalledfromwithinthespecificrunlevelscripts,rc.localisageneralpurposescriptthatcanbeeditedtoincludecommandsthatyouwantstartedatbootup(sortoflikeautoexec.bat).

/etc/rc.d/rc.local_shutdownThisfileshouldbeusedtostopanyservicesthatwerestartedinrc.local.

ServiceStartupScripts

Oncetheglobalscriptsrun,thereareservicescriptsinthe/etc/rc.d/directorythatarecalledbythevariousrunlevelscripts,asdescribedabove,dependingonwhetherthescriptsthemselveshaveexecutablepermissions.Thismeansthatwecancontroltheboottimeinitializationofaservicebychangingit'sexecutablestatus.Moreonhowtodothislater.Someexamplesofservicescriptsare:

/etc/rc.d/rc.inet1handlesnetworkinterfaceinitialization /etc/rc.d/rc.inet2handlesnetworkservicesstart.Thisscript

organizesthevariousnetworkservicesscripts,andensuresthattheyarestartedintheproperorder.

/etc/rc.d/rc.pcmciastartsPCcardservices. /etc/rc.d/rc.sendmailstartsthemailserver.Controlledbyrc.inet2. /etc/rc.d/rc.sshdstartstheOpenSSHserver.Alsocontrolledby

rc.inet2. /etc/rc.d/rc.messagebusstartsdbusmessagingservices. /etc/rc.d/rc.haldstartshardwareabstractionlayerdaemonservices. /etc/rc.d/rc.udevpopulatesthe/devdirectorywithdevicenodes,

scansfordevices,loadstheappropriatekernelmodules,andconfiguresthedevices.

Havealookatthe/etc/rc.ddirectoryformoreexamples.NotethatinastandardSlackwareinstall,youdirectorylistingwillshowexecutablescriptsasgreenincolor(intheterminal)andfollowedbyanasterisk(*).

BarryJ.Grundy 33


Again,thisisSlackwarespecific.Otherdistributionsdiffer(somediffergreatly!),buttheconceptremainsconsistent.Onceyoubecomefamiliarwiththeprocess,itwillmakesense.TheabilitytomanipulatestartupscriptsisanimportantstepinyourLinuxlearningprocess.

Bashbash(BourneAgainShell)isthedefaultcommandshellformostLinux

distros.ItistheprogramthatsetstheenvironmentforyourcommandlineexperienceinLinux.ThefunctionalequivalentinDOSwouldbecommand.com.Thereareanumberofshellsavailable,butwewillcoverbashhere.

ThereareactuallyquiteafewfilesthatcanbeusedtocustomizeausersLinuxexperience.Herearesomethatwillgetyoustarted.

/etc/profileThisistheglobalbashinitializationfileforinteractiveloginshells.Editsmadetothisfilewillbeappliedtoallbashshellusers.Thisfilesetsthestandardsystempath,theformatofthecommandpromptandotherenvironmentvariables.

Notethatchangesmadetothisfilemaybelostduringupgrades.Anothermethodistocreateanexecutablefileinthedirectory/etc/profile.d.Executablefilesplacedinthatdirectoryarerunattheendof/etc/profile.

/home/$USER/.bash_profile7Thisscriptislocatedineachusershomedirectory($USER)andcanbeeditedbytheuser,allowinghimorhertocustomizetheirownenvironment.Itisinthisfilethatyoucanaddaliasestochangethewaycommandsrespond.Notethatthedotinfrontofthefilenamemakesitahiddenfile.

/home/$USER/.bash_historyThisisanexceedinglyusefulfileforanumberofreasons.Itstoresasetnumberofcommandsthathavealreadybeentypedatthecommandline(defaultis500).Theseareaccessiblethrougheitherreverseshellsorsimplybyusingtheuparrowonthekeyboardtoscrollthroughthehistoryofalreadyusedcommands.Insteadofretypingacommandoverandoveragain,youcanaccessitfromthehistory.

Fromtheperspectiveofaforensicexaminer,ifyouareexaminingaLinuxsystem,youcanaccesseachuser's(don'tforgetroot).bash_historyfiletoseewhatcommandswererunfromthecommandline.Rememberthattheleading.inthefilenamesignifiesthatitisahiddenfile.

7Inbashwedefinethecontentsofavariablewithadollarsign.$USERisavariablethatrepresentsthenameofthecurrentuser.Toseethecontentsofshellindividualvariables,useecho$VARNAME.

BarryJ.Grundy 34


Keepinmindthatthedefaultvaluesfor./bash_history(numberofentries,historyfilename,etc.)canbecontrolledbytheuser(s).Readmanbashformoredetailedinfo.

Thebashstartupsequenceisactuallymorecomplicatedthanthis,butthisshouldgiveyouastartingpoint.Inadditiontotheabovefiles,checkout/home/$USER/.bashrc.Themanpageforbashisaninteresting(andlong)read,andwilldescribesomeofthecustomizationoptions.Inaddition,readingthemanpagewillgiveagoodintroductiontotheprogrammingpowerprovidedbybashscripting.Whenyoureadthemanpage,youwillwanttoconcentrateontheINVOCATIONsectionforhowtheshellisusedandbasicprogrammingsyntax.

BarryJ.Grundy 35


IV.LinuxCommands

LinuxattheterminalDirectorylisting=

ls listfiles. lsF classifiesfilesanddirectories. lsa showallfiles(includinghidden). lsl detailedfilelist(longview).

lslh detailedlist(long,withhumanreadablefilesizes).

Wewilldiscussthemeaningofeachcolumninthelsloutputlaterinthisdocument.

Changedirectory=cd changedirectoryto.cd (byitself)shortcutbacktoyourhomedirectory.cd.. uponedirectory(notethespacebetweencdand...cd backtothelastdirectoryyouwerein.cd/dirname changetothespecifieddirectory.Notethatthe

additionofthe/infrontofthedirectoryimpliesanexplicit(absolute)path,notarelativeone.Withpractice,thiswillmakemoresense.

cddirname changetothespecifieddirectory.Thelackofa/infrontofthedirectorynameimpliesarelativepathmeaningdirnameisasubfolderofourcurrentdirectory.

Copycpcpsourcefiledestinationfile copyafile.

CleartheTerminalclear clearstheterminalscreenofalltextandreturnsa

prompt.

BarryJ.Grundy

root@rock:~# ls -ltotal 3984drwxr-xr-x 3 root root 4096 Feb 15 2004 Backup_configdrwxr-xr-x 2 root root 4096 Jun 16 16:10 Desktopdrwx------ 2 root root 4096 Jan 27 2004 Documentsdrwxr-xr-x 3 root root 4096 Aug 10 14:26 VMware-rw-r--r-- 1 root root 175 Sep 26 2003 investigator.bjg-rwxrwx--- 1 root root 2740 Dec 15 2003 k.key-rwxr-xr-x 1 root root 107012 Nov 29 2003 scanModem

36


Moveafileordirectorymvmvsourcefiledestinationfile moveorrenameafile.

Deleteafileordirectoryrmrmfilename deletesafile.rmr recursivelydeletesallfilesin

directoriesandsubdirectories.rmdir removedirectories.rmf donotpromptforfileremoval

Displaycommandhelpmanmancommand displaysa"manual"pageforthespecified

command.Use"q"toquit.VERYUSEFUL.

Ifyouwanttofindinformationaboutacommandcalledfind,includingitsusage,options,output,etc.,thenyouwouldusethemanpageforthecommandfind:

Createadirectorymkdirmkdirdirectoryname createsadirectory.Again,rememberthe

differencebetweenarelativeandexplicitpathhere.

BarryJ.Grundy

root@rock:~# man find FIND(1L) FIND(1L)

NAME find - search for files in a directory hierarchy

SYNOPSIS find [path...] [expression]

DESCRIPTION This manual page documents the GNU version of find. find searches the directory tree rooted at each given file name by evaluating the given expression from left to right, according to the rules of precedence (see section OPERATORS), until the outcome is known (the left hand side is false for and operations, true for or), at which point find moves on to the next file name.

37


Displaythecontentsofafilecatormoreorlesscatfilename Thesimplestformoffiledisplay,catstreamsthe

contentsofafiletothestandardoutput(usuallytheterminal).catactuallystandsforconcatenate.Thiscommandcanalsobeusedtoaddfilestogether(usefullateron).Forexample:

catfile1file2>file3

Takesthecontentsoffile1andfile2andstreamstheoutputwhichisredirectedtoasinglefile,file3.Thiseffectivelyaddsthetwofilesintoonesinglefile(theoriginalfilesremainunchanged).

morefilename displaysthecontentsofafileonepageatatime.UnlikeitsDOScounterpart,Linuxmoretakesfilenamesasdirectarguments.

lessfilename lessisabettermore.Supportsscrollinginbothdirections,andanumberofotherpowerfulfeatures.lessisactuallytheGNUversionofmore,andonmanysystemsyouwillfindthatmoreisactuallyalinktoless.Useqtoexitalesssession.

Notethatyoucanstringtogetherseveraloptions.Forexample:

lsaF

..willgiveyoualistofallfiles(a),includinghiddenfiles,andfile/directoryclassification(F,whichshows"/"fordirectories,"*"forexecutables,and"@"forlinks).

BarryJ.Grundy

bgrundy@rock:~/workdir $ ls -aF./ .lntrc arlist dir1/ doc1@ rmscript* workfiles/../ .tschr cpscript* dir2/ mystuff/ topsc@

38


Additionalusefulcommands

grep searchforpatterns.

greppatternfilename

grepwilllookforoccurrencesofpatternwithinthefilefilename.grepisanextremelypowerfultool.Ithashundredsofusesgiventhelargenumberofoptionsitsupports.Checkthemanpageformoredetails.Wewillusegrepinourforensicexerciseslateron.

find allowsyoutosearchforafile(wildcardsactuallyexpressionspermitted).Tolookforyourfstabfile,youmighttry:

Thismeans"find,startingintherootdirectory(/),byname,fstabandprinttheresultstothescreen".findalsoallowsyoutosearchbyfiletypeorevenfiletimes(actuallyinodetimes).Thepowerofthefindcommandshouldnotbeunderestimated.Moreonthistoollater.

pwd printsthepresentworkingdirectorytothescreen.Thefollowingexampleshowsthatwearecurrentlyinthedirectory/root.

file categorizesfilesbasedonwhattheycontain,regardlessofthename(orextension,ifoneexists).Comparesthefileheadertothe"magic"fileinanattempttoIDthefiletype.Forexample:

ps listofcurrentprocesses.GivestheprocessIDnumber(PID),andtheterminalonwhichtheprocessisrunning.

psax showsallprocesses(a),andallprocesseswithoutanassociatedterminal(x).Notethelackofadashinfrontoftheoptions.Seethemanpageforinfoonthisdeparturefromourpreviousconvention.

BarryJ.Grundy

root@rock:~# find / -name fstab -print/etc/fstab

root@rock:~# pwd/root

root@rock:~# file snapshot01.gifsnapshot01.gif: GIF image data, version 87a, 800 x 600

39


strings printsoutthereadablecharactersfromafile.Willprintoutstringsthatareatleastfourcharacterslong(bydefault)fromafile.Usefulforlookingatdatafileswithouttheoriginatingprogram,andsearchingexecutablesforusefulstrings,etc.Moreonthisforensicallyusefulcommandlater.

chmod changesthepermissionsonafile.(Seethesectioninthisdocumentonpermissions).

chown changestheownerofafileinmuchthesamewayaschmodchangesthepermissions.

shutdown thiscommandMUSTbeusedtoshutdownthemachineandcleanlyexitthesystem.ThisisnotDOS.Turningoffthemachineatthepromptisnotallowedandcandamageyourfilesystem(insomecases)8.Youcanrunseveraldifferentoptionshere(checkthemanpageformanymore):

shutdownrnow willrebootthesystemnow(changetorunlevel6).

shutdownhnow willhaltthesystem.Readyforpowerdown(changetorunlevel0).

8ThishasbecomemuchlessofanissuewiththenewerjournaledfilesystemsusedbyLinux.

BarryJ.Grundy

root@rock:~# ps ax PID TTY STAT TIME COMMAND 1 ? S 0:00 init [3] 2 ? SN 0:00 [ksoftirqd/0] 3 ? S< 0:00 [events/0] 4 ? S< 0:00 [khelper]... 1966 ? Ss 0:00 /usr/sbin/syslogd -m 0 1973 ? Ss 0:00 /usr/sbin/klogd -c 3 -2 2009 ? Ss 0:00 /usr/sbin/acpid -c /etc/acpi/events 2109 ? Ss 0:00 /usr/sbin/cupsd

40


FilePermissionsFilesinLinuxhavecertainspecifiedfilepermissions.Thesepermissions

canbeviewedbyrunningthelslcommandonadirectoryoronaparticularfile.Forexample:

Ifyoulookcloseatthefirst10characters,youhaveadash()followedby9morecharacters.Thefirstcharacterdescribesthetypeoffile.Adash()indicatesaregularfile.A"d"wouldindicateadirectory,and"b"aspecialblockdevice,etc.

Firstcharacteroflsloutput:- =regularfiled=directoryb=blockdevice(SCSIorIDEdisk)c=characterdevice(serialport)l=link(pointstoanotherfileordirectory)

Thenext9charactersindicatethefilepermissions.Thesearegiveningroupsofthree:

Owner Group Othersrwx rwx rwx

Thecharactersindicater= readw= writex= execute

Sofortheabovemyfilewehaverwxrxrx

Thisgivesthefileownerread,writeandexecutepermissions(rwx),butrestrictsothermembersoftheownersgroupandusersoutsidethatgrouptoonlyreadandexecutethefile(rx).Writeaccessisdeniedassymbolizedbythe.

Nowbacktothechmodcommand.Thereareanumberofwaystousethiscommand,includingexplicitlyassigningr,w,orxtothefile.Wewillcovertheoctalmethodherebecausethesyntaxiseasiesttoremember(andIfinditmostflexible).Inthismethod,thesyntaxisasfollows

BarryJ.Grundy

root@rock:~# ls -l myfile-rwxr-xr-x 1 root root 1643 Jan 19 23:23 myfile

41


chmodoctalfilename

octalisathreedigitnumericalvalueinwhichthefirstdigitrepresentstheowner,theseconddigitrepresentsthegroup,andthethirddigitrepresentsothersoutsidetheowner'sgroup.Eachdigitiscalculatedbyassigningavaluetoeachpermission:

read(r) =4write(w) =2execute(x) =1

Forexample,thefilefilenameinouroriginalexamplehasanoctal

permissionvalueof755(rwx=7,rx=5,rx=5).Ifyouwantedtochangethefilesothattheownerandthegrouphadread,writeandexecutepermissions,butotherswouldonlybeallowedtoreadthefile,youwouldissuethecommand:

chmod774filename

4(r)+2(w)+1(x)=74(r)+2(w)+1(x)=74(r)+0()+0()=4

Anewlonglistofthefilewouldshow:

(rwx=7,rwx=7,r=4)

Letuslookatapracticalexampleofchangingpermissions.Earlierinthisdocumentwediscussedthesysteminitializationprocess.Partofthatprocessistheexecutionofrcscriptsthathandlesystemservices.Recallthatthefile/etc/inittabinvokestheappropriaterunlevelscriptsinthe/etc/rc.d/directory.Inturn,thesescriptstestvariousservicescriptsinthe/etc/rc.d/directoryforexecutablepermissions.Ifthescriptisexecutable,itisinvokedandtheserviceisstarted.Thetestinsidetherc.M(mulituserinitscript)forthePCMCIAservicelookslikethis:

BarryJ.Grundy

root@rock:~# chmod 774 myfileroot@rock:~# ls -l myfile-rwxrwxr-- 1 root root 1643 Jan 19 23:23 myfile

42

root@rock:~# cat /etc/rc.d/rc.M...if [ -x /etc/rc.d/rc.pcmcia ]; then. /etc/rc.d/rc.pcmcia start


Thecodeshownaboveisanif/thenstatementwherethebracketssignifythetestandthexchecksforexecutablepermissions.Soitwouldread:

ifthefile/etc/rc.d/rc.pcmciaisexecutable,thenexecutethecommand/etc/rc.d/rc.pcmciastart.

Notethatthercscriptscanhaveeitherstart,stoporrestartpassedasargumentsinmostcases.

Alookatthepermissionsof/etc/rc.d/rc.pcmciashowsthatitisnotexecutable,andsowillnotstartatsysteminitialization:

TochangetheexecutablepermissionstoallowPCMCIAservicestostartatboottime,Iexecutethefollowing:

ThedirectorylistingshowsthatIhavechangedtheexecutablestatusofthescript.Dependingonyourcolorterminalsettings,youmayalsoseethecolorofthefilechangeandanasteriskappendedtothename.

Youcanusethistechniquetogothroughyour/etc/rc.d/directorytoturnoffthoseservicesthatyoudonotneed.SinceI'mnotrunningalaptop,anddon'tneedPCMCIAservicesorwirelesssupport:

Sincewearerunninga2.6kernelonSlackware,andwewantaforensicallysoundsysteminassimpleamanneraspossiblehere,youshoulddothesametotherc.hald(HAL)andrc.messagebus(dbus)servicescripts.Thiswillpreventsystemmessagesfromaccessingandautomountingstoragedeviceswhentheyaredetected.ThisdoesNOTpreventthemfrombeingdetected...Justfrombeingmountedand/oropened(normallybyvirtueofdesktopsoftware).

Thechangeswilltakeeffectnexttimeyouboot.

BarryJ.Grundy 43

root@rock:~# ls -l /etc/rc.d/rc.pcmcia-rw-r--r-- 1 root root 5090 2006-08-16 16:48 /etc/rc.d/rc.pcmcia

root@rock:~# chmod 755 /etc/rc.d/rc.pcmciaroot@rock:~# ls -l /etc/rc.d/rc.pcmcia-rwxr-xr-x 1 root root 5090 2006-08-16 16:48 /etc/rc.d/rc.pcmcia*

root@rock:~# chmod 644 /etc/rc.d/rc.pcmciaroot@rock:~# chmod 644 /etc/rc.d/rc.wireless

root@rock:~# chmod 644 /etc/rc.d/rc.haldroot@rock:~# chmod 644 /etc/rc.d/rc.messagebus


MetacharactersTheLinuxcommandline(actuallythebashshellinourcase)also

supportswildcards(metacharacters) *formultiplecharacters(including"."). ?forsinglecharacters. []forgroupsofcharactersorarangeofcharactersornumbers.

Thisisacomplicatedandverypowerfulsubject,andwillrequirefurtherreadingRefertoregularexpressionsinyourfavoriteLinuxtext,alongwithglobbingorshellexpansion.Thereareimportantdifferencesthatcanconfuseabeginner,sodontgetdiscouragedbyconfusionoverwhat*meansindifferentsituations.

CommandHints1.Linuxhasahistorylistofpreviouslyusedcommands(storedinthefile

named.bash_historyinyourhomedirectory).Usethekeyboardarrowstoscrollthroughcommandsyou'vealreadytyped.

2.Linuxsupportscommandlineediting.Youcanusedthecursortonavigateapreviouscommandandcorrecterrors.

3.LinuxcommandsandfilenamesareCASESENSITIVE.4.Learnoutputredirectionforstdoutandstderr(>and2>).Moreon

thislater.5.Linuxuses/fordirectories,DOSuses\.6.Linuxusesforcommandoptions,DOSuses/.7.Useqtoquitfromlessormansessions.8.Toexecutecommandsinthecurrentdirectory(ifthecurrentdirectoryis

notinyourPATH),usethesyntax"./command".ThistellsLinuxtolookinthepresentdirectoryforthecommand.Unlessitisexplicitlyspecified,thecurrentdirectoryisNOTpartofthenormaluserpath,unlikeDOS.

PipesandRedirectionLikeDOS,Linuxallowsyoutoredirecttheoutputofacommandfrom

thestandardoutput(usuallythedisplayor"console")toanotherdeviceorfile.Thisisusefulfortaskslikecreatinganoutputfilethatcontainsalistoffilesonamountedvolume,orinadirectory.Forexample:

Theabovecommandwouldoutputalonglistofallthefilesinthecurrentdirectory.Insteadofoutputtingthelisttotheconsole,anewfilecalled"filelist.txt"willbecreatedthatwillcontainthelist.Ifthefile"filelist.txt"

BarryJ.Grundy

root@rock:~# ls -al > filelist.txt

44


alreadyexisted,thenitwillbeoverwritten.Usethefollowingcommandtoappendtheoutputofthecommandtotheexistingfile,insteadofoverwritingit:

AnotherusefultoolsimilartothatavailableonDOSisthecommandpipe.Thecommandpipetakestheoutputofonecommandand"pipes"itstraighttotheinputofanothercommand.Thisisanextremelypowerfultoolforthecommandline.Lookatthefollowingprocesslist(partialoutputshown):

WhatifallyouwantedtoseewerethoseprocessesID'sthatindicatedabashshell?Youcould"pipe"theoutputofpstotheinputofgrep,specifying"bash"asthepatternforgreptosearch.Theresultwouldgiveyouonlythoselinesoftheoutputfrompsthatcontainedthepattern"bash".

Alittlelateronwewillcoverusingpipesonthecommandlinetohelpwithanalysis.

StringingmultiplepowerfulcommandstogetherisonethemostusefulandpowerfultechniquesprovidedbyLinuxforforensicanalysis.ThisisoneofthesinglemostimportantconceptsyouwillwanttolearnifyoudecidetotakeonLinuxasaforensictool.Withasinglecommandlinebuiltfrommultiple

BarryJ.Grundy

root@rock:~# ls -al >> filelist.txt

root@rock:~# ps ax PID TTY STAT TIME COMMAND 1 ? S 0:00 init [3] 2 ? SN 0:00 [ksoftirqd/0] 3 ? S< 0:00 [events/0] 4 ? S< 0:00 [khelper] 5 ? S< 0:00 [kacpid] 26 ? S< 0:00 [kblockd/0] 36 ? S< 0:00 [vesafb] 45 ? S 0:00 [pdflush] 46 ? S 0:00 [pdflush] 48 ? S< 0:00 [aio/0] 2490 tty1 S 0:00 bash 3287 pts/0 Ss 0:00 -bash 3325 pts/0 R+ 0:00 ps ax

root@rock:~# ps ax | grep bash2490 tty1 S 0:00 bash3287 pts/0 Ss 0:00 -bash

45


commandsandpipes,youcanuseseveralutilitiesandprogramstoboildownananalysisveryquickly.

TheSuperUser

IfLinuxgivesyouanerrormessage"Permissiondenied",theninalllikelihoodyouneedtobe"root"toexecutethecommandored

Linux as a Forensic Tool Intro

Documents

Transcript of Linux as a Forensic Tool Intro