computer forensic science - santa monica...
TRANSCRIPT
1
© David Morgan 2011
Computer forensic scienceComputer forensic science
This drive has been victimized!This drive has been victimized!
Mallory
2
CS78 students must help!CS78 students must help!
What happened?!
CS78 students
Every student gets a copyEvery student gets a copy
3
Forensic scienceForensic science
… it’s detective work
Computer forensic scienceComputer forensic science
4
© David Morgan 2011
Not enough drives for everybodyNot enough drives for everybodywould you accept a (large) file?would you accept a (large) file?
drive.imagedd if=drive of=file
© David Morgan 2011
This weekThis week’’s exercises exercise
� shared with us by UCLA professors Peter A. H. Peterson and Peter Reiher (for which, thanks!)
� they had a corrupted/hacked/victimized drive
� they dd’ed it to a file
� they named that file “act2.img”
� every student gets a copy
5
© David Morgan 2011
(b)
(a)
(c)
(d)
(e)
a virgin hard disk(maybe by Western Digital)
an MBR written(maybe by grub; partition table inside)
a partition defined(maybe by fdisk; in the MBR)a filesystem written
(maybe by mkfs, in the partition)
files created(maybe by vi, in the filesystem)
Disks, partitions,Disks, partitions,
filesystems,andfilesystems,and filesfiles
© David Morgan 2011
(b)
(a)
(c)
(d)
(e)
disk
MBR
partition
filesystem
files
Naming of disks and partitions:Naming of disks and partitions:
as if devices ( /dev/as if devices ( /dev/…… ))/dev/hda
/dev/hda
/dev/hda1
6
© David Morgan 2011
Q. how can you use your files?Q. how can you use your files?
A. mount their containing A. mount their containing filesystemfilesystem
into a hierarchical file treeinto a hierarchical file tree/
mountpoint
© David Morgan 2011
What does mount What does mount mountmount??
� mount mounts filesytesms
� mount does not mount anything else
– not disks
– not partitions
– not files
� give mount the name of the filesystem to mount
� but filesystems don’t have their own names!
� so instead we give mount the name of a partition that contains the filesystem to mount
7
© David Morgan 2011
Q. how can you mount a Q. how can you mount a filesystemfilesystem??
A. by referencing its containing A. by referencing its containing
partitionpartition
mount /dev/hda1 /mountpoint
/dev/hda1
© David Morgan 2011
Copy/Copy/dddd whole partitionwhole partition into a fileinto a file
� partition copy lacks a device name to mount by
� give it one with losetup
File boundaries are dark blue rectangles
File contents are rectangles’ interiors
little disk
big disk
8
© David Morgan 2011
Copy/Copy/dddd whole diskwhole disk into a fileinto a file(on a (on a biggerbigger disk)disk)
� disk copy lacks a device name
� give it one with losetup
File boundaries are dark blue rectangles
File contents are rectangles’ interiors
little disk
big disk
© David Morgan 2011
Obtaining your Obtaining your ““diskdisk””using using losetuplosetup and mountand mount
associate /dev/loop0 with data
now de-associate
associate with other data
while associated, treat /dev/loop0 as if a device, holding the loop-associated data as the device’s content
First, fdisk worked with /dev/loop0 because the data associated with it was that of a disk,
and fdisk works with disks
Later, mount worked with /dev/loop0 when the data associated with it was that of a filesystem,
and mount works with filesystems
on DETER ~ is persistent
Loop device boundaries are
red rectangles
Loop device contents are
rectangles’ interiors
9
© David Morgan 2011
Distinguish among machinesDistinguish among machines
� 3 computers– workbench.CFS.USCCSci530.isi.deterlab.net (yours)
– users.isi.deterlab.net (holds export-mounted parts of your filesystem)
– the one whose corrupted disk we’re analyzing
� pathnames are confusing– don’t look at the logs in /var/log for example
– look at those in ~/sda1/var/log
© David Morgan 2011
Software toolsSoftware tools
� Peterson & Reiher’s instructions document numerous commands as potential tools
� I found these particularly useful/essential– sudo
– history
– e2undel
– strings; xxd and hexedit
10
© David Morgan 2011
sudosudo –– use liberallyuse liberally
you can’t
but root can
Everybody can do everything as root …
…provided they do it through sudo
sudo’s config file
© David Morgan 2011
history history –– use use ““catcat”” not not ““historyhistory”” commandcommand
Must be some
sensitive data in here
11
© David Morgan 2011
e2undele2undel
recover to a persistent place
OK on mounted image, no need to umount
try the different time periods when deletions
may have occurred
Chose something to recover
Then look at it
© David Morgan 2011
Binary file contents Binary file contents –– strings, strings, xxdxxd
strings extracts just ascii portions
xxd and hexedit show each byte twice, as
both hex and ascii symbol (if any, “.” otherwise)
12
© David Morgan 2011
scpscp –– secure remote file copysecure remote file copy
no files start with “pass” on aludra
scp puts one there
and now there it is
we have one locally
© David Morgan 2011
System log filesSystem log files
start here
13
© David Morgan 2011
The assignment The assignment –– write a reportwrite a report
it was