computer forensic science - santa monica...

1

© David Morgan 2011

Computer forensic scienceComputer forensic science

This drive has been victimized!This drive has been victimized!

Mallory

2

CS78 students must help!CS78 students must help!

What happened?!

CS78 students

Every student gets a copyEvery student gets a copy

3

Forensic scienceForensic science

… it’s detective work

Computer forensic scienceComputer forensic science

4


Not enough drives for everybodyNot enough drives for everybodywould you accept a (large) file?would you accept a (large) file?

drive.imagedd if=drive of=file


This weekThis week’’s exercises exercise

� shared with us by UCLA professors Peter A. H. Peterson and Peter Reiher (for which, thanks!)

� they had a corrupted/hacked/victimized drive

� they dd’ed it to a file

� they named that file “act2.img”

� every student gets a copy

5


(b)

(a)

(c)

(d)

(e)

a virgin hard disk(maybe by Western Digital)

an MBR written(maybe by grub; partition table inside)

a partition defined(maybe by fdisk; in the MBR)a filesystem written

(maybe by mkfs, in the partition)

files created(maybe by vi, in the filesystem)

Disks, partitions,Disks, partitions,

filesystems,andfilesystems,and filesfiles


(b)

(a)

(c)

(d)

(e)

disk

MBR

partition

filesystem

files

Naming of disks and partitions:Naming of disks and partitions:

as if devices ( /dev/as if devices ( /dev/…… ))/dev/hda

/dev/hda

/dev/hda1

6


Q. how can you use your files?Q. how can you use your files?

A. mount their containing A. mount their containing filesystemfilesystem

into a hierarchical file treeinto a hierarchical file tree/

mountpoint


What does mount What does mount mountmount??

� mount mounts filesytesms

� mount does not mount anything else

– not disks

– not partitions

– not files

� give mount the name of the filesystem to mount

� but filesystems don’t have their own names!

� so instead we give mount the name of a partition that contains the filesystem to mount

7


Q. how can you mount a Q. how can you mount a filesystemfilesystem??

A. by referencing its containing A. by referencing its containing

partitionpartition

mount /dev/hda1 /mountpoint

/dev/hda1


Copy/Copy/dddd whole partitionwhole partition into a fileinto a file

� partition copy lacks a device name to mount by

� give it one with losetup

File boundaries are dark blue rectangles

File contents are rectangles’ interiors

little disk

big disk

8


Copy/Copy/dddd whole diskwhole disk into a fileinto a file(on a (on a biggerbigger disk)disk)

� disk copy lacks a device name

� give it one with losetup

File boundaries are dark blue rectangles

File contents are rectangles’ interiors

little disk

big disk


Obtaining your Obtaining your ““diskdisk””using using losetuplosetup and mountand mount

associate /dev/loop0 with data

now de-associate

associate with other data

while associated, treat /dev/loop0 as if a device, holding the loop-associated data as the device’s content

First, fdisk worked with /dev/loop0 because the data associated with it was that of a disk,

and fdisk works with disks

Later, mount worked with /dev/loop0 when the data associated with it was that of a filesystem,

and mount works with filesystems

on DETER ~ is persistent

Loop device boundaries are

red rectangles

Loop device contents are

rectangles’ interiors

9


Distinguish among machinesDistinguish among machines

� 3 computers– workbench.CFS.USCCSci530.isi.deterlab.net (yours)

– users.isi.deterlab.net (holds export-mounted parts of your filesystem)

– the one whose corrupted disk we’re analyzing

� pathnames are confusing– don’t look at the logs in /var/log for example

– look at those in ~/sda1/var/log


Software toolsSoftware tools

� Peterson & Reiher’s instructions document numerous commands as potential tools

� I found these particularly useful/essential– sudo

– history

– e2undel

– strings; xxd and hexedit

10


sudosudo –– use liberallyuse liberally

you can’t

but root can

Everybody can do everything as root …

…provided they do it through sudo

sudo’s config file


history history –– use use ““catcat”” not not ““historyhistory”” commandcommand

Must be some

sensitive data in here

11


e2undele2undel

recover to a persistent place

OK on mounted image, no need to umount

try the different time periods when deletions

may have occurred

Chose something to recover

Then look at it


Binary file contents Binary file contents –– strings, strings, xxdxxd

strings extracts just ascii portions

xxd and hexedit show each byte twice, as

both hex and ascii symbol (if any, “.” otherwise)

12


scpscp –– secure remote file copysecure remote file copy

no files start with “pass” on aludra

scp puts one there

and now there it is

we have one locally


System log filesSystem log files

start here

13


The assignment The assignment –– write a reportwrite a report

it was

computer forensic science - santa monica...

Documents