linux as a forensic tool intro
Post on 31-Oct-2015
90 Views
Preview:
TRANSCRIPT
-
APractitioner'sGuidetoLinuxasaComputerForensicPlatform
BarryJ.Grundybgrundy@LinuxLEO.com
VER3.78December2008
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
LEGALITIES..........................................................................................................................................4ACKNOWLEDGMENTS..............................................................................................................................4FOREWORD..........................................................................................................................................5AWORDABOUTTHEGNUINGNU/LINUX...........................................................................................6WHYLEARNLINUX?..............................................................................................................................6CONVENTIONSUSEDINTHISDOCUMENT.....................................................................................................7
I.INSTALLATION..........................................................................................................................8
DISTRIBUTIONS.....................................................................................................................................8SLACKWAREANDUSINGTHISGUIDE................................................................................................11INSTALLATIONMETHODS......................................................................................................................12SLACKWAREINSTALLATIONNOTES..........................................................................................................12DESKTOPENVIRONMENT.......................................................................................................................16THELINUXKERNEL:VERSIONSANDISSUES..............................................................................................16CONFIGURINGSLACKWARE12:2.6KERNELCONSIDERATIONS.......................................................................19
UDEV..........................................................................................................................................19HARDWAREABSTRACTIONLAYER......................................................................................................20DBUS........................................................................................................................................202.6KERNELANDDESKTOPS............................................................................................................21
ROLLINGYOUROWNTHECUSTOMKERNEL.........................................................................................21
II.LINUXDISKS,PARTITIONSANDTHEFILESYSTEM...........................................................23
DISKS...............................................................................................................................................23PARTITIONS.......................................................................................................................................23USINGMODULESLINUXDRIVERS.........................................................................................................25DEVICERECOGNITION..........................................................................................................................27THEFILESYSTEM...............................................................................................................................28
III.THELINUXBOOTSEQUENCE(SIMPLIFIED).....................................................................30
BOOTINGTHEKERNEL..........................................................................................................................30INITIALIZATION...................................................................................................................................32RUNLEVEL.........................................................................................................................................32GLOBALSTARTUPSCRIPTS....................................................................................................................33SERVICESTARTUPSCRIPTS....................................................................................................................33BASH...............................................................................................................................................34
IV.LINUXCOMMANDS..............................................................................................................36
LINUXATTHETERMINAL.......................................................................................................................36ADDITIONALUSEFULCOMMANDS............................................................................................................39FILEPERMISSIONS...............................................................................................................................41METACHARACTERS...............................................................................................................................44COMMANDHINTS...............................................................................................................................44PIPESANDREDIRECTION.......................................................................................................................44THESUPERUSER...............................................................................................................................46
V.EDITINGWITHVI...................................................................................................................47
THEJOYOFVI...................................................................................................................................47VICOMMANDSUMMARY.......................................................................................................................48
VI.MOUNTINGFILESYSTEMS..................................................................................................49
THEMOUNTCOMMAND......................................................................................................................49THEFILESYSTEMTABLE(/ETC/FSTAB).....................................................................................................51
BarryJ.Grundy 2
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
VII.LINUXANDFORENSICS......................................................................................................53
INCLUDEDFORENSICTOOLS..................................................................................................................53ANALYSISORGANIZATION.......................................................................................................................54DETERMININGTHESTRUCTUREOFTHEDISK..............................................................................................55CREATINGAFORENSICIMAGEOFTHESUSPECTDISK.....................................................................................56MOUNTINGARESTOREDIMAGE...............................................................................................................57MOUNTINGTHEIMAGEUSINGTHELOOPBACKDEVICE...................................................................................58FILEHASH........................................................................................................................................58THEANALYSIS....................................................................................................................................61MAKINGALISTOFALLFILES...............................................................................................................62MAKINGALISTOFFILETYPES...............................................................................................................63VIEWINGFILES...................................................................................................................................65SEARCHINGUNALLOCATEDANDSLACKSPACEFORTEXT..............................................................................66
VIII.COMMONFORENSICISSUES............................................................................................70
HANDLINGLARGEDISKS......................................................................................................................70PREPARINGADISKFORTHESUSPECTIMAGE.............................................................................................72OBTAININGDISKINFORMATION.............................................................................................................74
IX.ADVANCED(BEGINNER)FORENSICS..................................................................................76
THECOMMANDLINEONSTEROIDS.........................................................................................................76FUNWITHDD..................................................................................................................................84SPLITTINGFILESANDIMAGES.................................................................................................................84COMPRESSIONONTHEFLYWITHDD......................................................................................................87DATACARVINGWITHDD....................................................................................................................91CARVINGPARTITIONSWITHDD.............................................................................................................94DETERMININGTHESUBJECTDISKFILESYSTEMSTRUCTURE.........................................................................98DDOVERTHEWIRE.........................................................................................................................101
X.ADVANCEDFORENSICTOOLS............................................................................................104
ALTERNATIVEIMAGINGTOOLS..............................................................................................................106DC3DD.....................................................................................................................................106DDRESCUE.................................................................................................................................113BADSECTORSDDRESCUE............................................................................................................119BADSECTORSDC3DD................................................................................................................122BADSECTORACQUISITIONCONCLUSIONS......................................................................................124
LIBEWFWORKINGWITHEXPERTWITNESSFILES................................................................................125SLEUTHKIT......................................................................................................................................134SLEUTHKITINSTALLATIONANDSYSTEMPREP...........................................................................................136SLEUTHKITEXERCISES........................................................................................................................138SLEUTHKITEXERCISE#1DELETEDFILEIDENTIFICATIONANDRECOVERY.....................................................139SLEUTHKITEXERCISE#2PHYSICALSTRINGSEARCH&ALLOCATIONSTATUS................................................150SLEUTHKITEXERCISE#3UNALLOCATEDEXTRACTION&EXAMINATION.......................................................157SLEUTHKITEXERCISE#4NTFSEXAMINATION:FILEANALYSIS................................................................163SLEUTHKITEXERCISE#5NTFSEXAMINATION:ADS............................................................................168SLEUTHKITEXERCISE#6NTFSEXAMINATION:SORTINGFILES................................................................171SLEUTHKITEXERCISE#7SIGNATURESEARCHINUNALLOCATEDSPACE.......................................................174SMARTFORLINUX.........................................................................................................................179SMARTFILTERING..........................................................................................................................185SMARTFILTERINGVIEWINGGRAPHICSFILES.....................................................................................187SMARTSEARCHING.........................................................................................................................189
XI.BOOTABLELINUXDISTRIBUTIONS..................................................................................194
BarryJ.Grundy 3
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
TOMSRTBTBOOTFROMAFLOPPY........................................................................................................194KNOPPIXFULLLINUXWITHOUTTHEINSTALL.........................................................................................194SMARTLINUXITSBOOTABLE!........................................................................................................194HELIXKNOPPIXBASEDINCIDENTRESPONSE.........................................................................................195
XII.CONCLUSION.....................................................................................................................196
XIII.LINUXSUPPORT..............................................................................................................197
PLACESTOGOFORSUPPORT:................................................................................................................197
LegalitiesAlltrademarksarethepropertyoftheirrespectiveowners.
19982008BarryJ.Grundy(bgrundy@LinuxLEO.com):Thisdocumentmayberedistributed,initsentirety,includingthewholeofthiscopyrightnotice,withoutadditionalconsentiftheredistributorreceivesnoremunerationandiftheredistributorusesthesematerialstoassistand/ortrainmembersofLawEnforcementorSecurity/IncidentResponseprofessionals.Otherwise,thesematerialsmaynotberedistributedwithouttheexpresswrittenconsentoftheauthor,BarryJ.Grundy.
Acknowledgments
Asthisguidegrowsinlengthanddepth,sodothecontributionsIreceivefromothersinthefieldthattaketimeoutoftheirownbusydaystoassistmeinmakingsurethatthisdocumentisatleastaccurateifnottotallycomplete.Iverymuchappreciatetheproofreadingandsuggestionsmadebyall.EverytimeIgetcommentsbackonadraftversionofthisguide,Ilearnsomethingnew.
IwouldliketothankCoryAltheide,BrianCarrier,ChristopherCooper,NickFurneaux,JohnGarris,RobertJanMora,andJesseKornblumforprovidingcriticalreview,valuableinput,andinsomecases,amuchneededsanitycheckofthecontentsofthisdocument.SpecialthankstoRobbyWorkmanforprovidingveryconstructiveguidanceonSlackwaredetailsthroughouttheentireguide.Alloftheexpertiseandcontributionsaregreatlyappreciated.
Also,IwouldliketospecificallythankalloftheLinuxKernel,variousdistribution,andsoftwaredevelopmentteamsfortheirhardworkinprovidinguswithanoperatingsystemandutilitiesthatarerobustandcontrollable.Toooftenweforgettheamountofdedicationandworkthatgoesintowhatmanyendusersexpecttojustwork.
BarryJ.Grundy 4
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
ForewordThispurposeofthisdocumentistoprovideanintroductiontothe
GNU/Linux(Linux)operatingsystemasaforensicplatformforcomputercrimeinvestigatorsandforensicexaminers.
Thisisthethirdmajoriterationofthispaper.Thereisabalancetobemetbetweenmaintainingtheoriginalintroductorypurposeofthework,andtheconstantrequestsfromotherscoupledwithmyowndesiretoaddmoredetailedcontent.Sincethefirstrelease,thisworkhasalmostquadrupledinlength.Thecontentismeanttobebeginnerlevel,butasthecomputerforensiccommunityevolvesandthesubjectmatterwidensandbecomesmoremainstream,thedefinitionofbeginnerlevelmaterialstartstoblur.Asaresult,I'vemadeanefforttokeepthematerialasbasicaspossiblewithoutomittingthosesubjectsthatIseeasfundamentaltotheproperunderstandingofLinuxanditspotentialasacomputerforensicplatform.Anumberofpeoplehavepointedouttomethatwithinclusionofsomeofthemorecomplexexercises,thisdocumentshouldbegiventhemorefittingpractitioner'sguidemonikerratherthanbeginner'sguide.
Wefollowthephilosophythatahandsonapproachisthebestwaytolearn.GNU/Linuxoperatingsystemutilitiesandspecializedforensictoolsavailabletoinvestigatorsforforensicanalysisarepresentedwithpracticalexercises.
ThisisbynomeansmeanttobethedefinitivehowtoonforensicmethodsusingLinux.Rather,itisa(somewhatextended)startingpointforthosewhoareinterestedinpursuingtheselfeducationneededtobecomeproficientintheuseofLinuxasaninvestigativetool.Notallofthecommandsofferedherewillworkinallsituations,butbydescribingthebasiccommandsavailabletoaninvestigatorIhopetostarttheballrolling.Iwillpresentthecommands,thereaderneedstofollowuponthemoreadvancedoptionsanduses.Knowinghowthesecommandsworkiseverybitasimportantasknowingwhattotypeattheprompt.IfyouareevenanintermediateLinuxuser,thenmuchofwhatiscontainedinthesepageswillbereview.Still,Ihopeyoufindsomeofituseful.
OvertheyearsIhaverepeatedlyheardfromcolleaguesthathavetriedLinuxbyinstallingit,andthenproceededtositbackandwonderwhatnext?IhavealsoentertainedanumberofrequestsandsuggestionsforamoreexpansiveexplorationofapplicationsavailabletoLinuxforforensicanalysisattheapplicationlevel.Youhaveacopyofthisintroduction.Nowdownloadtheexercisesanddriveon.
BarryJ.Grundy 5
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Asalways,Iamopentosuggestionsandcritique.Mycontactinformationisonthefrontpage.Ifyouhaveideas,questions,orcomments,pleasedonthesitatetoemailme.Anyfeedbackiswelcome.
Thisdocumentisoccasionally(infrequently,actually)updated.Checkfornewerversions(numberedonthefrontpage)attheofficialsite:
http://www.LinuxLEO.com
AwordabouttheGNUinGNU/LinuxWhenwetalkabouttheLinuxoperatingsystem,weareactually
talkingabouttheGNU/Linuxoperatingsystem(OS).LinuxitselfisnotanOS.Itisjustakernel.TheOSisactuallyacombinationoftheLinuxkernelandtheGNUutilitiesthatallowus(morespecificallyourhardware)tointeractwiththekernel.WhichiswhythepropernamefortheOSisGNU/Linux.We(incorrectly)callitLinuxforconvenience.
WhyLearnLinux?OneofthequestionsIhearmostoftenis:whyshouldIuseLinuxwhen
Ialreadyhave[insertWindowsGUIforensictoolhere]?TherearemanyreasonswhyLinuxisquicklygaininggroundasaforensicplatform.Imhopingthisdocumentwillillustratesomeofthoseattributes.
Controlnotjustoveryourforensicsoftware,butthewholeOSandattachedhardware.
FlexibilitybootfromaCD(toacompleteOS),filesystemsupport,platformsupport,etc.
PowerALinuxdistributionis(orcanbe)aforensictool.
AnotherpointtobemadeisthatsimplyknowinghowLinuxworksisbecomingmoreandmoreimportant.WhilemanyoftheWindowsbasedforensicpackagesinusetodayarefullycapableofexaminingLinuxsystems,thesamecannotbesaidfortheexaminers.
AsLinuxbecomesmoreandmorepopular,bothinthecommercialworldandwithdesktopusers,thechancethatanexaminerwillencounteraLinuxsysteminacasebecomesmorelikely(especiallyinnetworkinvestigations).EvenifyouelecttoutilizeaWindowsforensictooltoconductyouranalysis,youmustatleastbefamiliarwiththeOSyouareexamining.Ifyoudonotknowwhatisnormal,thenhowdoyouknowwhatdoesnotbelong?Thisistrueonsomanylevels,fromtheactualcontentsofvariousdirectoriestostrangeentriesinconfigurationfiles,allthewaydowntohowfilesarestored.
BarryJ.Grundy 6
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
WhilethisdocumentismoreaboutLinuxasaforensictoolratherthananalysisofLinux,youcanstilllearnalotabouthowtheOSworksbyactuallyusingit.
ConventionsusedinthisdocumentWhenillustratingacommandandit'soutput,youwillseesomething
likethefollowing:
Thisisessentiallyacommandline(terminal)sessionwhere...
root@rock:~#
...isthecommandprompt,followedbythecommand(typedbytheuser)andthenthecommand'soutput.Thecommandwillbeshowninboldtexttofurtherdifferentiateitfromcommandoutput.
InLinux,thecommandpromptcantakedifferentforms,dependingontheenvironmentsettings(thedefaultdiffersamongdistributions).Intheexampleabove,theformatis
user@hostname directory #
meaningthatwearetheuserrootworkingonthecomputernamedrockcurrentlyinthedirectoryroot(therootuser'shomedirectoryinthiscase,thehomedirectoryissymbolizedbytheshorthandrepresentationofthetilde~).Notethatforarootloginthecommandprompt'strailingcharacteris#.Ifweloginasaregularuser,thedefaultpromptcharacterchangestoa$,asinthefollowingexample:
bgrundy@rock:~$
Thisisanimportantdifference.Therootuseristhesystemsuperuser.Wewillcoverthedifferencesbetweenuserloginslaterinthisdocument.
BarryJ.Grundy
root@rock:~# command output...
7
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
I.Installation
Firstandforemost,knowyourhardware.IfyourLinuxmachineistobeadualbootsystemwithWindows,thenusetheWindowsDeviceManagertorecordallyourinstalledhardwareandthesettingsusedbyWindows.IfyouaresettingupastandaloneLinuxsystem,thengatherasmuchdocumentationaboutyoursystemasyoucan.ThishasbecomemuchlessimportantwiththeevolutionoftheLinuxinstallroutines.Hardwarecompatibilityanddetectionhavebeengreatlyimprovedoverthepastcoupleofyears.Someoftherecentversionsofdistributions,likeUbuntuLinux,haveextraordinaryhardwaredetection.
Harddriveknowingthesizeandgeometryishelpfulwhenplanningyourpartitioning.
SCSIadaptersanddevices(notetheadapterchipset).SCSIisverywellsupportedunderLinux.
Soundcard(notethechipset). VideoCard(importanttoknowyourchipsetandmemory,etc.). Monitortimings. Horizontalandverticalrefreshrates. Networkcard(chipset). NetworkParameters: IP(ifnotDHCP) Netmask Broadcastaddress DNSservers
Defaultgateway USBcontrollersupportisstandardincurrentdistributions. IEEE1394(Firewire)controllersupportisalsostandardincurrent
distributions.
Inthevastmajorityofcases,mostofthisinformationwillnotbeneeded.Butit'salwayshandytoknowyourhardwareifyoumusttroubleshoot.
Mostdistributionshaveaplethoraofdocumentation,includingonlinehelpanddocumentsindownloadableform.DoaWebsearchandyouarelikelytofindanumberofanswerstoanyquestionyoumighthaveabouthardwarecompatibilityissuesinLinux.
DistributionsLinuxcomesinanumberofdifferentflavors.Thesearemostoften
referredtoasdistributions(distro).Defaultkernelconfiguration,toolsthatareincluded(systemmanagementandconfiguration,etc.)andthepackage
BarryJ.Grundy 8
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
format(theupgradepath)mostcommonlydifferentiatethevariousLinuxdistros.
ItiscommontohearuserscomplainthatdeviceXworksunderSuseLinux,butnotonRedHat,etc.OrthatdeviceYdidnotworkunderRedHatversion9,butachangetoCentOSfixedit.Mostoften,thedifferenceisintheversionoftheLinuxkernelbeingusedandthereforetheupdateddrivers,orthepatchesappliedbythedistributionvendor,nottheversionofthedistribution(orthedistributionitself).
Here'sanoverviewofjustafewoftheLinuxdistrosthatareavailable.Selectingoneisamatterofpreference.ManyofthesedistrosnowprovidealiveCDthatallowsausertobootaCDintoafullyfunctionaloperatingenvironment.Trythemoutandseewhatpleasesyou.
RedHat/FedoraOneofthemostpopularLinuxdistributions.RedHatworkswith
companieslikeDell,IBMandInteltoassistbusinessesintheadoptionofLinuxforenterpriseuse.UseofRPMandKickstartbeganthefirstrealuserupgradepathsforLinux.RedHathaselectedtomoveintoanenterpriseorientedbusinessmodel.ItisstillaviableoptionforthedesktopthroughtheFedoraProject(http://fedoraproject.org/).Fedoraisanexcellentchoiceforbeginnersbecauseofthehugeinstallbaseandtheproliferationofonlinesupport.Theinstallroutineiswellpolishedandhardwaresupportiswelldocumented.AnotherRedHatbaseddistributionisCentOS.
DebianNotreallyforbeginners.Theinstallationroutineisnotas
polishedassomeotherdistributions.Debianhasalwaysbeenahackerfavorite.ItisalsooneofthemostnoncommercialLinuxdistributions,andtruetothespiritofGNU/GPL.(http://www.debian.org/).
SuSENowownedbyNovell,SuSEisoriginallyGermaninorigin.Itis
byfarthelargestsoftwareinclusivedistribution.(http://www.novell.com/linux/).Thereisanopensupportnetworkanddownloaddirectoryathttp://www.opensuse.org.ALiveCDisalsoavailable.
MandrivaLinuxFormerlyknownasMandrake.Mandrivaisafavoriteofmany
beginnersanddesktopusers.ItisheavyonGUIconfigurationtools,allowingforeasymigrationtoaLinuxdesktopenvironment.(http://wwwnew.mandriva.com/).
BarryJ.Grundy 9
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
GentooLinux Sourcecentricdistributionthatisoptimizedduringinstallone
ofmypersonalfavorites.Oncethroughthecomplexinstallationroutine,upgradingthesystemandaddingsoftwareismadeextremelyeasythroughGentoosPortagesystem.Notforbeginners,though.Youarelefttoconfigurethesystementirelyonyourown.Ifyouhaveendlesspatienceandalotoftime,itcanbeafantasticlearningexperience.(http://www.gentoo.org/).
UbuntuLinuxArelativenewcomer,UbuntuLinuxisbasedonDebianand
althoughI'venotuseditmyself,ithasareputationforfantastichardwaredetectionandeaseofuseandinstallation.(http://www.ubuntulinux.org).I'veheardthatthisisagreatchoiceforbeginners.
SlackwareTheoriginalcommercialdistribution.Slackwarehasbeenaround
foryears.Installationisnowalmostaseasyasalltheothers.GoodstandardLinux.NotoverencumberedbyGUIconfigtools.SlackwareaimstoproducethemostUNIXlikeLinuxdistroavailable.Oneofmypersonalfavorites,andinmyhumbleopinion,currentlyoneofthebestchoicesforaforensicplatform.(http://www.slackware.com/).ThisguideistailoredforusewithaSlackwareLinuxinstallation.
Lot'sofinformationonmoredistributionsthanyoucaretoreadaboutisavailableathttp://www.distrowatch.com.
MysuggestionfortheabsolutebeginnerlookingtoexperienceanoveralldesktopOSwouldbeeitherthenewestversionofFedoraCoreorUbuntu.Ifyoureallywanttodiveinandburyyourself,goforGentoo,SlackwareorDebian.Ifyouchooseoneoftheselatterdistributions,bepreparedtoreadalot.
Ifyouareunsurewheretostart,willbeusingthisguideasyourprimaryreference,andareinterestedmainlyinforensicapplicationsofLinux,thenIwouldsuggestSlackware.Moreonwhyalittlelater.
Onethingtokeepinmind:AsImentionedearlier,ifyouaregoingtouseLinuxinaforensiccapacity,thentrynottorelyonGUItoolstoomuch.AlmostallsettingsandconfigurationsinLinuxaremaintainedintextfiles(usuallyineitheryourhomedirectory,orin/etc).Bylearningtoeditthefilesyourself,youavoidproblemswheneithertheXwindowsystemisnotavailable,orwhenthespecificGUItoolyourelyonisnotonasystemyoumightcomeacross.Inaddition,knowledgeofthetextconfigurationfileswillgiveyouinsightintowhatisnormal,andwhatmighthavebeenchangedwhenyouexamineasubjectsystem.LearningtointerpretLinuxconfigurationfilesisallpartofthe"forensicexperience".
BarryJ.Grundy 10
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SLACKWAREandUsingthisGuide
Becauseofdifferencesbetweendistributions,theLinuxflavorofyourchoicecancausedifferentresultsincommands'outputanddifferentbehavioroverall.Additionally,somesectionsofthisdocumentdescribingconfigurationfilesorstartupscripts,forexample,mightappearvastlydifferentdependingonthedistroyouselect.
IfyouareselectingaLinuxdistributionforthesolepurposeoflearningthroughfollowingalongwiththisdocument,thenIwouldsuggestSlackware.Slackwareisstableanddoesnotattempttoenrichtheuser'sexperiencewithcuttingedgefilesystemhacksorautomaticconfigurationsthatmighthamperforensicwork.DetailedsectionsofthisguideontheinnerworkingsofLinuxwillbewrittentowardabasicSlackwareinstallation(currentlyinversion12.1).
Previousversionsofthisdocumentattemptedtobefarmoredistroindependent.Theexamplesanddiscussionsofconfigurationfileswerefocusedonthemorepopulardistributionformats.Intheinterveningyears,therehasbeenaveritableexplosionofdifferentflavorsofLinux.Thisguidehasbeenlinkedonanumberofwebsites,andhasbeenusedinavarietyoftrainingforums.Asaresultofthesechanges,IhavefoundmyselfreceivingnumerousemailsaskingquestionslikeTheoutputIgetdoesnotmatchwhat'sinyourguide.I'musing'FuzzyKittenLinux2.0'withkernelversion2.6.16fk145.2...Whatcouldbewrong?Myreplyhasbecomestandardtosuchqueries:I'mnotfamiliarwiththatversionofLinux,andI'mnotsurewhatchangeshavebeenmadetothatkernel.ProvidinganswerstoquestionsontheexercisesthatfollowrequiresthatIknowalittleabouttheenvironmentbeingused.Tothatend,I'vedecidedtopointpeopletowardsastandard,stableversionofLinuxthatincludesfewsurprises.
Bydefault,Slackware'scurrentinstallationroutineleavesinitialdiskpartitioninguptotheuser.Therearenodefaultschemesthatresultinsurprisingvolumegroupsorothercomplexdiskmanagementtechniques.Theresultingfilesystemtable(alsoknownasfstab)isstandardanddoesnotrequireeditingtoprovideforaforensicallysoundenvironment,unlikesomeotherpopulardistributions.
ThemostrecentversionofSlackware(12.x)nowusesthe2.6serieskernelbydefault.Inmanycircumstances,yourhardwarewillrequireyouthatusea2.6kernel(certainSATAcontrollers,etc.).Inrecognitionofthis,thecurrentversionofthisdocumentnowassumesthattheuserhasinstalleda2.6kernelversionofLinux.ThisbringstheLinuxLEOPractitioner'sGuideinlinewiththemajorityofforensicpractitionerscurrentlyusingLinux,including
BarryJ.Grundy 11
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
myself.Previousversionsofthisdocumentsuggesteda2.4(kernelversion)install.
SlackwareLinuxisstable,consistent,andsimple.Asalways,LinuxisLinux.Anydistributioncanbechangedtofunctionlikeanyother(intheory).However,myphilosophyhasalwaysbeentostartwithanoptimalsystem,ratherthanattempttorollbackasystemheavilymodifiedandoptimizedforthedesktopratherthanaforensicworkstation.
Ifyouarecomfortablewithanotherdistribution,thenbyallmeans,continuetouseandlearnit.Justbeawarethattheremaybecustomizationsandmodificationsmadetothestandardkernelandfilesystemsetupsthatmightnotbeidealforforensicuse.Thesecanalwaysberemedied,butIprefertostartasclosetooptimalaspossible.
InstallationMethods DownloadtheneededISO(CDimage)files,burnthemtoaCDandbootthe
media.ThisisthemostcommonmethodofinstallingLinux.Mostdistroscanbedownloadedforfreeviahttp,ftp,ortorrent.Slackwareisavailableathttp://www.slackware.com.Havealookathttp://linuxlookup.com/linux_isoorhttp://distrowatch.com/forinformationondownloadingandinstallingotherLinuxflavors.
UseabootableLinuxdistribution(coveredlater).Forexample,theSMARTorHelixLinuxbootableCDscaneasilybeusedasexperimentalplatforms.Seehttp://www.asrdata2.comorhttp://www.efense.com/helixformoreinformation.
Duringastandardinstallation,muchoftheworkisdoneforyou,andrelativelysafedefaultsareprovided.Asmentionedearlier,hardwaredetectionhasgonethroughsomegreatimprovementsinrecentyears.Istronglybelievethatmany(ifnotmost)Linuxdistrosarefareasierandfastertoinstallthanothermainstreamoperatingsystems.TypicalLinuxinstallationiswelldocumentedonline(checkthehowtosattheLinuxDocumentationProject:http://www.tldp.org/).Therearenumerousbooksavailableonthesubject,andmostofthesearesuppliedwithaLinuxdistributionreadyforinstall.
FamiliarizeyourselfwithLinuxdiskandpartitionnamingconventions(coveredinChapterIIofthisdocument)andyoushouldbereadytostart.
SlackwareInstallationNotes
Aspreviouslymentioned,itissuggestedthatyoustartwithSlackwareifthisisyourfirstforayintoLinuxandforensicsANDyouprimaryinterestis
BarryJ.Grundy 12
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
forensics.IfyoudodecidetogiveSlackwareashot,herearesomesimpleguidelines.ThedocumentationprovidedonSlackware'ssiteiscompleteandeasytofollow.Readtherefirst...
DecideonstandaloneLinuxordualboot. InstallWindowsfirstinadualbootsystem.IfyouhaveVista,becareful
thereareissuesyoushouldbeawareof.ResearchdualbootingwithVistabeforeproceeding.
DeterminehowyouwanttheLinuxsystemtobepartitioned. DoNOTcreateanyextrapartitionswithWindowsfdisk.Justleavethe
spaceunallocated.SlackwarewillrequireyoutoutilizeLinuxfdiskoranotherpartitioningtoolatthestartoftheinstallprocess.
READthroughtheinstallationdocumentationbeforeyoustarttheprocess.Don'tbeinahurry.IfyouwanttolearnLinux,youhavetobewillingtoread.ForSlackware,havealookthroughtheinstallationchaptersoftheSlackbooklocatedathttp://www.slackbook.org.Forabasic(butdetailed)understandingofhowLinuxworksandhowtouseit,theSlackbookshouldbeyourfirststop.
1)BoottheLinuxmedia.Slackwarerequiresonlythefirsttwoinstallationdisks(orthesingleDVD).
Readeachscreencarefully. Acceptingmostdefaultsworks. Yourhardwarewillbedetectedandconfiguredundermost(ifnotall)
circumstances.Onlinesupportisextensiveifyouhaveproblems. Keepinmindthatifapieceofhardwarecausesproblemsduringan
install,orisnotdetectedduringinstallation,thisdoesnotmeanthatitwillnotwork.Installtheoperatingsystemandspendsometimetroubleshooting.WhenlearningLinux,Googleisveryoftenyourbestfriend(tryhttp://www.google.com/linux).
TheSlackwareinstallCDforthecurrentversion(12.1)willbootbydefaultusingakernelcalledhugesmp.s.ItincludessupportformosthardwarebydefaultandsupportsmultipleCPUs.Ifitdoesnotwork,thentrythesingleCPUi486kernelhuge.s.HittheF2keyattheinitialboot:promptformoreinfo.
Oncethesystemisbooted,youarepresentedwiththeslackwarelogin:prompt.READTHEENTIRESCREENasinstructed.Loginasroot,andcontinuewithyourinstallroutine.
ThemaininstallroutineforSlackwareisstartedwiththecommandsetup.Youwillneedtoensurethatyouhaveyourdiskproperlypartitionedbeforeyouenterthesetupprogram.
Takethetimetoreadeachscreencompletelyasitcomesup.
BarryJ.Grundy 13
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
2)PartitionandformatforLinux Ataminimumyouwillneedtwopartitions.Thisstepisnormallypartof
theinstallationprocess,oriscoveredinthedistribution'sdocumentation.
Root(/)astypeLinuxNative. SwapastypeLinuxSwap(use2xyoursystemmemoryasa
startingpointforswapsize).
Youwillhearalotaboutusingmultiplepartitionsfordifferentdirectories.Dontletthatconfuseyou.ThereareargumentsbothforandagainstusingmultiplepartitionsforaLinuxfilesystem.Ifyouarejuststartingout,useonelargeroot(/)partition,andoneswappartitionasdescribedabove.
YouwillpartitionyourSlackwareLinuxsystemusingfdiskorcfdisk. TheSlackbookhasadetailedsectiononusingfdisktoaccomplishthis.(http://www.slackbook.org/html/book.html#INSTALLATIONPARTITIONING).Infact,IwouldreadtheentireinstallationsectionoftheSlackbook.Itwillmaketheprocessmucheasierforyou.
Whenaskedtoformattherootpartition,Iwouldsuggestselectingtheext3filesystem(NowdefaultinSlackware12.1).
3)Packageinstallation(system) Whenaskedwhichpackagestoselectforinstallation,itisusuallysafefor
abeginnertoselecteverythingorfull.Thisallowsyoutotryallthepackages,alongwithmultipleXWindowdesktopenvironments.Thiscantakeasmuchas5to6GBonsomeofthenewerdistributions(5GBonSlackware),howeveritincludesallthesoftwareyouarelikelytoneedforalongtime(includingmanyofficetypeapplications,Internet,email,etc.).Thisisnotreallyoptimalforaforensicworkstation,butforalearningboxitwillgiveyouthemostexposuretoavailablesoftwareforexperimentation.
4)InstallationConfiguration Sound
Usuallyautomatic.Ifnot,searchtheWeb.Theanswerisoutthere.Ifitdoesnotworkoutofthebox(asitshouldwithmosthardwareinSlackware),thentrythefollowing.
TherearemanycurrentdistributionsusingtheAdvancedLinuxSoundArchitecture(ALSA),includingSlackware.ConfiguringsoundonLinuxusingALSAcanbequiteeasy.Oncebootedintoyournewsystem,tryrunningthecommandalsaconftoallowthesystemtoattemptautomaticconfiguration.Ifthatappearstowork(noobviouserrormessages),runalsamixertoadjustspeakervolume.Theseprogramsarerunfromacommandprompt.Thealsaconfprogramisrunastherootuser,whilealsamixercanberunasaregularuser.
BarryJ.Grundy 14
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Xorg(XWindowsystem) Knowyourhardware(videocard,etc.). IfyouchoosetoconfigureXduringtheinstallationroutine,do
notclickyesiftheinstallationroutineasksifyouwantXtostartautomaticallyeverytimeyousystemboots.Thiscanmakeproblemsolvingdifficultandresultsinlesscontroloverthesystem.YoucanalwaysstarttheGUIwithstartxfromthecommandline.
Bydefault,XorgwilluseastandardVESAdrivertorunyourXWindowsystem.YoucanattempttogetamoreoptimumconfigurationaftertheinstallationbyrunningXconfigure,whichwillwriteanewconfigurationfilewithsettingstailoredmoreforyourhardware.Thiswillcreateafilecalledxorg.conf.newwhichcanthenbecopiedto/etc/X11/xorg.conf.
IwouldsuggestyouuseXFCEasyoudesktopmanager.Feelfreetouseothers,butXFCEwillprovideaclean,unclutteredinterface.
YouselectXFCEasyourdesktopduringtheSlackwareinstallationbychoosingxinitrc.xfceduringtheXsetupportion.Youcantryotherwindowmanagersbyrunningthecommandxwmconfigandselectingadifferentone.
BootMethod(theBootloaderselectstheOStoboot) LILOorGRUB.
LILOisthedefaultforSlackware.SomepeoplefindGRUBmoreflexibleandsecure.GRUBcanbeinstalledlater,ifyoulike.
UsuallyselecttheoptiontoinstallLILOtothemasterbootrecord(MBR).Thepresenceofotherbootloaders(asprovidedbyotheroperatingsystems)determineswheretoinstallLILOorGRUB.
Thebootloadercontainsthecodethatpointstothekerneltobebooted.Checkhttp:// www.tldp.org formultiOSandmultibootHowTodocuments.
Createausernameforyourselfavoidusingrootexclusively. Formoreinformation,checkthefileCHANGES_AND_HINTS.TXTon
theinstallCD,orat:http://slackware.osuosl.org/slackware12.1/CHANGES_AND_HINTS.TXTThisfileisloadedwithusefulhintsandchangesofinterestfromonereleasetoanother.
Linuxisamultiusersystem.Itisdesignedforuseonnetworks(remember,itisbasedonUnix).Therootuseristhesystemadministrator,andiscreatedbydefaultduringinstallation.ExclusiveuseoftherootloginisDANGEROUS.Linuxassumesthatrootknowswhatheorsheisdoingandallowsroottodoanythingheorshewants,includingdestroythesystem.Createanewuser.Dontloginasrootunlessyoumust.Havingsaidthis,muchoftheworkdoneforforensicanalysismustbedoneasroottoallowaccesstorawdevicesandsystemcommands.
BarryJ.Grundy 15
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
DesktopEnvironment
Whentalkingaboutforensicsuitability,yourchoiceofdesktopsystemcanmakeadifference.Firstofall,thetermdesktopenvironmentandwindowmanagerareNOTinterchangeable.Let'sbrieflyclarifythecomponentsofacommonLinuxGUI.
XWindowThisisthebasicGUIenvironmentusedinLinux.CommonlyreferredtoasX,itistheapplicationthatprovidestheGUIframework,andisNOTpartoftheOS.Xisaclient/serverprogramwithcompletenetworktransparency.
WindowManagerThisisaprogramthatcontrolstheappearanceofwindowsintheXWindowsystem,alongwithcertainGUIbehaviors(windowfocus,etc.).ExamplesareKwin,Metacity,XFWM,Enlightenment,etc.
DesktopEnvironmentAcombinationofWindowManagerandaconsistentinterfacethatprovidestheoveralldesktopexperience.ExamplesareXFCE,GNOME,KDE,etc. ThedefaultWindowManagerforKDEisKwin. ThedefaultWindowManagerforGNOMEisMetacity ThedefaultWindowManagerforXFCEisXFWM.
Thesedefaultscanbechangedtoallowforpreferencesinspeedandresourcemanagementoverthedesireforeyecandy,etc.YoucanalsoelecttorunaWindowManagerwithoutadesktopenvironment.Forexample,theEnlightenmentWindowManagerisknownforit'seyecandyandcanberunstandalone,withorwithoutKDEorGNOME,etc.
SlackwarenolongercomeswithGNOMEasanoption,thoughitcanbeinstalledlikeanyotherapplication.DuringthebaseSlackwareinstallation,youwillbegivenachoiceofKDE,XFCE,andsomeothers.IwouldliketosuggestXFCE.Itprovidesacleanerinterfaceforabeginnertolearnon.Itisleanerandthereforelessresourceintensive.YoustillhaveaccesstomanyKDEutilities,ifyouelectedtoinstallKDEduringpackageselection.Youcaninstallmorethanonedesktopandswitchbetweenthem,ifyoulike.Theeasiestwaytoswitchiswiththexwmconfigcommand.
TheLinuxKernel:VersionsandIssues
TheLinuxkernelisthebrainofthesystem.ItisthebasecomponentoftheOperatingSystemthatallowsthehardwaretointeractwithandmanageothersoftwareandsystemresources.
BarryJ.Grundy 16
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
InDecemberof2003,theLinux2.6kernelwasreleased.ThiswasanothermilestoneintheLinuxsaga,andallofthenewermainstreamdistributionversionsarebasedonthe2.6kernel.Manyofthechangesin2.6overtheprevious2.4aregearedtowardenterpriseuseandscalability.ThenewerkernelreleasealsohasanumberofinfrastructurechangesthathaveasignificantimpactonLinuxasaforensicplatform.Forexample,thereisenhancedsupportforUSBandamyriadofotherexternaldevices.Readuponudevformoreinformationoneonesuchchange1.Wewillverybrieflydiscussudevlaterinthissection.
Aswithallforensictools,weneedtohaveaclearviewofhowanykernelversionwillinteractwithourforensicplatformsandsubjecthardware.AlmostallcurrentdistributionsofLinuxalreadycomewitha2.6kernelinstalledbydefault.Slackware12hasalsomovedtothe2.6kernelseries(2.6.24.5in12.1).
Previousversionsofthisdocumentsuggestedusinganolder(butupdated)versionofthekernel(2.4series)toaccountforinfrastructurechangesinnewerkernelversionsthatcouldadverselyaffectLinuxemployedasaforensicplatform.ThisversionoftheLinuxForensicPractitioner'sGuidehasdepartedfromthatphilosophyandwenowuseadistributionwitha2.6kernelbydefault.Still,itisbothinterestingandimportanttounderstandtheimplicationsofkernelchoiceonaforensicplatform.Sowhilewehavemovedontothe2.6kernel,wewillstillcoverthedifferencesandcaveatstousingamodernkernel.
Priortothe2.6serieskernel,thedevelopersmaintained2separatekernelbranches.Onewasforthestablekernel,andtheotherwasfortesting.Oncereleased,thestablekernelwasupdatedwithbugfixesandwasconsideredasolidproductionkernel.Theotherkernelbranchwasthetestingbranchandwasusedtoincorporateinnovationsandupdatestothekernelinfrastructure.Thestablekernelhadanevennumberedsecondarypointrelease,andthetestingbranchhadanoddnumberedsecondarypointrelease.
Stablebranch TestingBranch
2.0 2.1
2.2 2.3
2.4 2.5
2.6 ??
1http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html
BarryJ.Grundy 17
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thedevelopmentofthe2.5testkernelseriesresultedinthestable2.6
series.Manyoftheimprovements,oncedeemedstable,werebackportedtothe2.4kernel.Asaresult,the2.4seriesisstillconsideredmodernandsupportsmuchofthenewerhardwarecurrentlyinuse.
So,whatweretheinitialreservationsaboutadhocadoptionofthe2.6kernelinforensics,eventhoughit'sconsideredstable?Youwillnoticefromthechartabovethatthereisnocurrent2.7testingbranch.Thecurrentkerneldevelopmentschemedoesnotutilizeatestingbranch.Thismeansthatnewinnovationsandchangestokernelinfrastructuregetwrappeddirectlyinto2.6kernelupdates.Asaresult,criticalupgradeswithinthe2.6kernelserieshaveapotentialtobreakexistingapplications.ThereweremanyintheLinuxcommunity(evenoutsideofcomputerforensics)thatsawthe2.6kernelasafinesystemfordesktopcomputers,butdidnotconsiderusingitinaproductionenvironment.Again,thisdoesNOTmeanthatitwasnotsuitableforforensics,justthatitrequiredmoretestingandcarefulconfigurationwiththeadditionofmorecuttingedgefeatures.
OfequalimportanceinselectingaLinuxkernelforforensicusewastheinterfacethatthekernelprovidesbetweenthehardwareandtheenduser.The2.6kernelincludesanumberenhancementsthataredesignedspecificallytoimprovetheoverallLinuxexperienceonthedesktop.Theseenhancements,ifnotproperlyconfiguredandcontrolled,canresultinalossofusercontroloverdevices,oneoftheprimaryreasonsforusingLinuxforforensicsinthefirstplace.Suchobstaclescanbeovercomethroughproperconfiguration,butrigoroustesting,aswithallforensicapplications,isrequired.Knowingwhatservicestodisable,andwhataffectthiswillhaveontheentiresystemisimperative.Whileacompletediscussionoftheserequirementsislargelybeyondthescopeofthisguide,wewillcoverbasicconfigurationinlatersections.
Sowehavefinallyarrivedatapointwherethe2.6kernelismainstreamandwewillbeusingitinourforensicenvironment.Thekeytosafeuse(thisgoesforANYoperatingsystem)isknowledgeofyourenvironmentandpropertesting.Pleasekeepthatinmind.YouMUSTunderstandhowyourhardwareandsoftwareinteractwithanygivenoperatingsystembeforeusingitinaproductionforensicanalysis.
OneofthegreateststrengthsLinuxprovidesistheconceptoftotalcontrol.Thisrequiresthoroughtestingandunderstanding.Don'tlosesightofthisinpursuitofaneasydesktopexperience.
BarryJ.Grundy 18
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
ConfiguringSlackware12:2.6kernelconsiderations
So,we'vediscussedthedifferencesbetweenthe2.4andthe2.6kernel.Thereareinfrastructurechangesandenhancementstothe2.6kernelthatcanbemoreofachallengetoconfigureforaLinuxbeginnerlookingforastableandsoundforensicplatform.
Inthissection,wewillfocusontheminimumconfigurationrequirementsforcreatingasoundforensicenvironmentundercurrentLinuxdistributionsusingthe2.6kernel.Wewillbrieflydiscussdevicenodemanagement(udev),hardwareabstraction(HAL)andmessagebus(dbus)daemons,andthedesktopenvironment.Insimplifiedterms,itisthesecomponentsthatcreatethemostobviousproblemsforforensicsuitabilityinthemostcurrentLinuxdistributions.Thegoodnewsisthat,beingLinux,theuserhasverygranularcontrolovertheseservices.ThecontrolthatwelovehavingwithLinuxisstillthere,wejustneedtograbsomeofitbackfromthekernel(orthedesktop,asthecasemaybe).
udev
Startingwithkernelversion2.6.13,Linuxdevicemanagementwashandedovertoanewsystemcalledudev.Traditionally,thedevicenodes(filesrepresentingthedevices,locatedinthe/devdirectory)usedinpreviouskernelversionswerestatic,thatistheyexistedatalltimes,whetherinuseornot2.Forexample,onasystemwithstaticdevicenodeswemayhaveaprimarySATAharddrivethatisdetectedbythekernelas/dev/sda.SincewehavenoIDEdrives,nodriveisdetectedas/dev/hda.Butwhenwelookinthe/devdirectoryweseestaticnodesforallthepossiblediskandpartitionnamesfor/dev/hda.Thedevicenodesexistwhetherornotthedeviceisdetected.
Inthenewsystem,udevcreatesdevicenodesonthefly.Thenodesarecreatedasthekerneldetectsthedeviceandthe/devdirectoryispopulatedinrealtime.Inadditiontobeingmoreefficient,udevalsorunsinuserspace.Oneofthebenefitsofudevisthatitprovidesforpersistentnaming.Inotherwords,youcanwriteasetofrules(Foraniceexplanationofudevrules,see:http://reactivated.net/writing_udev_rules.html)thatwillallowudevtorecognizeadevicebasedonindividualcharacteristics(serialnumber,manufacturer,model,etc.).Therulecanbewrittentocreateauserdefinedlinkinthe/devdirectory,sothatforexample,mythumbdrivecanalwaysbeaccessedthroughanarbitrarydevicenodenameofmychoice,like/dev/mythumb,ifIsochoose.ThismeansthatIdon'thavetosearchthroughUSBdevicenodestofindthecorrectdevicenameifIhavemorethanoneexternalstoragedeviceconnected.
2WewillnotcoverDevfs,adevicemanagementsystemthatuseddynamicnodespriortoudev.
BarryJ.Grundy 19
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Udevisrequiredforcurrent2.6kernels.OnSlackware,itrunsasadaemonfromthestartupscript/etc/rc.d/rc.udev.Wewilldiscussthesestartupscriptsinmoredetaillaterinthisdocument.Wewillnotdoanyspecificconfigurationforudevonourforensiccomputersatthistime.Wediscussitheresimplybecauseitisamajorchangeindevicehandlinginthe2.6kernel.UdevdoesNOTinvolveitselfinautomountingorotherwiseinteractingwithapplications.Itsimplyprovidesahardwaretokernelinterface.
HardwareAbstractionLayer
HALreferstotheHardwareAbstractionLayer.TheHALdaemonmaintainsinformationaboutdevicesconnectedtothesystem.Ineffect,HALactsasamiddlemanfordevicedetection,inthatitorganizesdeviceinformationinauniformformataccessibletoapplicationsthatwanttoeitheraccessorreacttoachangeisthestatusofadevice(pluggedinorunplugged,etc.).TheinformationthatHALmakesavailableisobjectspecificandprovidesfarmoredetailthannormalkerneldetectionallows.Asaresult,applicationsthatreceiveinformationaboutadevicefromHALcanreactincontext.HALandudevarenotconnected,andoperateindependentlyofoneanother.WhereHALdescribesadeviceindetail,forusebyapplications,udevsimplymanagesdevicenodes.InSlackware12,HALisrunasadaemonfrom/etc/rc.d/rc.hald.SeethesectiontitledServiceStartupScriptsinChapterIIIformoreinformationonrcscriptsandhowtostoptheservicefromautostarting.
dbus
Thesystemmessagebus,ordbus,providesamechanismforapplicationstoexchangeinformation.Forourpurposeshere,wewillsimplystatethatdbusisthecommunicationchannelusedbyHALtosenditsinformationtoapplications.InSlackware12,dbusisrunasadaemonfrom/etc/rc.d/rc.messagebus.
Withsomeveryfineconfiguration,it'spossibletohaveHALanddbusrunningandstillmaintainasoundforensicenvironment.Forourpurposes,wewillturnHALanddbusoff.Wedothisbecauseexhaustiveconfigurationisoutsidethescopeofthisdocument.WewillmaketheseadjustmentinthesectionFilePermissionsonpage41.Ithasbeennotedthatturningdbusoffisnotstrictlyrequired(atthispoint).Isuggestdoingsoforthesakeofsafety.Iurgeyoutotestyourownconfigurations.
BarryJ.Grundy 20
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
2.6KernelandDesktops
OneoftheconsiderationswhendiscussingDesktopEnvironmentsisitsintegrationwiththeHALanddbusservicestoallowfordesktopautomountingofremovablemedia.KDEandGNOMEareheavilyintegratedwithHAL/dbusandusersneedtobeawareofhowtocontrolthisundesiredbehaviorinaforensicenvironment.EquallyimportantishowtodealwithinstabilitycausedwhenexpectedmessagesfromtheOSarenotreceivedbyapollingapplication.
XFCEisalighterweight(read:lighteronresources)desktop.AndalthoughXFCEisalsocapableofintegrationwithHALanddbus,itallowsforeasiercontrolofremovablemediaonthedesktop(searchforthunarvolman).WhileKDEandGNOMEalsoallowforcontrolofautomountingthroughconfigurationdialogs,theyarefarmoretightlyintegratedandarguablymorecomplex.
RollingyourownTheCustomKernel
"Everyforensicexaminershouldcompilehisownkernel,justlikeeveryJedibuildshisownlightsaber."
TheCoryAltheide
AtsomepointduringyourLinuxeducation,youwillwanttolearnhowtorecompileyourkernel.Why?Well...theabovequoteputsitquitenicely.Thekernelthatcomeswithyourdistroofchoiceisoftenheavilypatched,andisconfiguredtoworkwiththewidestvarietyofhardwarepossible.Thisgivesthestockdistributionabetterchanceofworkingonamultitudeofsystemsrightoutofthebox.NotethattheSlackwarekernel'sarenicelygenericandquitesuitableoutoftheboxforforensicuse.Also,bewarnedthatusercustomizedkernelsmakefordifficulttroubleshootingandyouwilloftenbeaskedtoreproduceproblemswithastockkernelbeforeyoucangetspecificsupport.Thisissimplyamatterofdefiningacommondenominatorwhenaddressingproblems.
Theactualstepsforcompilingacustomkernelareoutsidethescopeofthisdocument,andhavebeencoveredelsewhere3.Theconcepts,howeverareimportantforanoverallunderstandingofhowLinuxworks.
3AquickInternetsearchforlinuxcustomkernelcompileorthelikewillprovideagoodstart.Throwinthewordforensicforsomemorespecificpointers.
BarryJ.Grundy 21
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Asmentionedpreviously,thekernelprovidesthemostbasicinterfacebetweenhardwareandthesystemsoftwareandresourcemanagement.Thisincludesdriversandothercomponentsthatareactuallysmallseparatepiecesofcodethatcaneitherbecompiledasmodulesorcompileddirectlyinthekernelimage.
Therearetwobasicapproachestocompilingakernel.Statickernelsarebuiltsothatallofthedriversanddesiredfeaturesarecompiledintothesinglekernelimage.Modularkernelsarebuiltsuchthatdriversandotherfeaturescanbecompiledasseparateobjectfilesthatcanbeloadedandunloadedontheflyintoarunningsystem.MoreonhandlingkernelmodulescanbefoundinSectionIIofthisdocument,underUsingModules.
Inshort,youmightfindyourselfinneedofakernelrecompileasaresultofthefactthatyourequirespecificdriversorsupportthatisnotcurrentlyincludedinyourdistribution'sdefaultkernelconfiguration.Or,afterbecomingcomfortablewithLinux,youdecideyouwanttotryyourhandatactuallyconfiguringyourcustomkernelsimplybecauseyouwanttomakeitmoreefficientorbecauseyouwanttoexpandthesupportforhardware,filesystems,orpartitiontabletypesthatyoumightcomeacrossduringaninvestigation.
Inanyevent,ForensicswithLinuxisallaboutcontrol.Customizingyourkernelconfiguration,whileanadvancedskill,isthemostbasicformofcontrolyouhaveinLinux(shortofrewritingthesourcecodeitself).Atsomepoint,thisissomethingyouwillwanttoeducateyourselffurtheron.
BarryJ.Grundy 22
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
II.LinuxDisks,PartitionsandtheFileSystem
DisksLinuxtreatsitsdevicesasfiles.Thespecialdirectorywherethese"files"
aremaintainedis"/dev".
DEVICE: FILENAME: Floppy(a:) Harddisk(master,IDE0) Harddisk(slave,IDE0) Harddisk(master,IDE1) 1stSCSIharddisk(SATA,USB) 2ndSCSIharddisk
/dev/fd0/dev/hda/dev/hdb/dev/hdc,etc./dev/sda/dev/sdb,etc.
PartitionsDEVICE: FILENAME:
1stHarddisk(master,IDE0) 1stPrimarypartition 2ndPrimarypartition 1stLogicaldrive(onextdpart) 2ndLogicaldrive
2ndHarddisk(slave,IDE0) 1stPrimarypartition
CDROM(ATAPI)or3rddisk(mstr,IDE1)1stSCSIdisk(orSATA,USB,etc.)
1stPrimarypartition
/dev/hda/dev/hda1/dev/hda2,etc./dev/hda5/dev/hda6,etc./dev/hdb/dev/hdb1,etc./dev/hdc/dev/sda/dev/sda1,etc.
Thepatterndescribedaboveisfairlyeasytofollow.IfyouareusingastandardIDEdisk(orstandardATAPICDROMdrive),itwillbereferredtoashdxwherethe"x"isreplacedwithan"a"ifthediskisconnectedtotheprimaryIDEcontrollerasmasteranda"b"ifthediskisconnectedtotheprimaryIDEcontrollerasaslavedevice.Inthesameway,theIDEdisks(orCDROM)connectedtothesecondaryIDEcontrollerasmasterandslavewillbereferredtoashdcandhddrespectively.
SCSIandSerialATA(SATA)diskswillbereferredtoassdx.InthecaseofSCSIdisks,theyareassignedlettersintheorderinwhichtheyaredetected.ThisincludesUSBandFirewire.Forexample,aprimarySATAdiskwillbeassignedsda.IfyouattachaUSBdiskorathumbdriveitwillnormallybedetectedassdb,andsoon.4
4Youmayrunacrossolderdistributionsthatsupportdevfswhichusesadifferentnamingscheme.Dontletthisconfuseyou.Thepatterndescribedaboveisstillsupportedthroughlinksforcompatibility.Seehttp://www.atnf.csiro.au/people/rgooch/linux/docs/devfs.htmlformoreinformation.
BarryJ.Grundy 23
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thefdiskprogramcanbeusedtocreateorlistpartitionsonasupporteddevice.Thisisanexampleoftheoutputoffdiskonadualbootsystemusingthelistoption(l[dashel]):
fdiskl/dev/hdxgivesyoualistofallthepartitionsavailableonaparticulardrive,inthiscaseandIDEdrive).EachpartitionisidentifiedbyitsLinuxname.The"bootflag"isindicated,andthebeginningandendingcylindersforeachpartitionisgiven.Thenumberofblocksperpartitionisdisplayed.Finally,thepartition"Id"andfilesystemtypearedisplayed.Toseealistofvalidtypes,runfdiskandattheprompttype"l"(theletterel).DonotconfuseLinuxfdiskwithDOSfdisk.Theyareverydifferent.TheLinuxversionoffdiskprovidesformuchgreatercontroloverpartitioning.
Rememberthatthepartitiontypeidentifiedinthelastcolumn,underSystemhasnothingtodowiththefilesystemfoundonthatpartition.Donotrelyonthepartitiontypetodeterminethefilesystem.Onmostnormalsystems,atypec(W95FAT32)partitiontypewillcontainaFAT32partition,butnotalways.Also,considerpartitionsoftype83(Linux).Type83partitionscannormallyholdEXT2,EXT3,ReiserFS,oranynumberofotherfilesystemtypes.Wewilldiscussfilesystemidentificationlaterinthisdocument.
BEFOREFILESYSTEMSONDEVICESCANBEUSED,THEYMUSTBEMOUNTED!Anyfilesystemsonpartitionsyoudefineduringinstallationwillbemountedautomaticallyeverytimeyouboot.WewillcoverthemountingoffilesystemsinthesectionthatdealswithLinuxcommands,afteryouhavesomenavigationexperience.
Keepinmind,thatevenwhatnotmounted,devicescanstillbewrittento.Simplynotmountingafilesystemdoesnotprotectitfrombeinginadvertentlychangedthroughyouractions.
BarryJ.Grundy
root@rock:~# fdisk -l /dev/hda
Disk /dev/hda: 60.0 GB, 60011642880 bytes255 heads, 63 sectors/track, 7296 cylindersUnits = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System/dev/hda1 * 1 654 5253223+ 7 HPFS/NTFS/dev/hda2 655 2478 14651280 7 HPFS/NTFS/dev/hda3 2479 7296 38700585 5 Extended/dev/hda5 2479 4303 14659281 83 Linux/dev/hda6 4304 4366 506016 82 Linux swap/dev/hda7 4367 7296 23535193+ c W95 FAT32 (LBA)
24
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Mountingfilesystemsonsometypesofexternaldevices,whichwewillcometolaterinthisdocument,mayrequireustodelvealittledeeperintomodules
UsingmodulesLinuxDriversItsdifficulttodecidewhentointroducemodulestoanewuser.The
conceptcanbealittleconfusing,butoutoftheboxLinuxdistributionsrelyheavilyonmodulesfordeviceandfilesystemsupport.Forthisreason,wewillmakeanefforttogetfamiliarwiththeconceptearlyon.
Asdiscussedintheprevioussection,modulesarereallyjustdriversthatcanbeloadedandunloadedfromthekerneldynamically.Theyareobjectfiles(*.koforthe2.6kernel)thatcontaintherequireddrivercodeforthesupporteddeviceoroption.ModulescanbeusedtoprovidesupportforeverythingfromUSBcontrollersandnetworkinterfacestofilesystems.
Thevariousmodulesavailableonyoursystemarelocatedinthe/lib/modules//directory.Notethatthecurrentkernelversionrunningonyoursystemcanbefoundusingthecommandunamer.
Thereare,ingeneral,threewaysthatdrivercodeisloadedinLinux:
Drivercodeiscompileddirectlyintothekernel.Thecodeispartofthekernelimagethatisloadedwhenthecomputerboots.SupporteddevicesarerecognizedandconfiguredastheOSloads.
Modulesareloadedatboottimethroughtheactionsofudev,whichhandleshotplugevents.Afterthekernelisloaded,udeveventsaretriggeredandthepropermodulesareautomaticallyloaded.Wewillcoverthisinmoredetailinthechaptercoveringsystemstartup.Recallthatudevhandlesthedevicenodemanagement.
Modulesaremanuallyloadedbytheuser,asneeded.
Incaseswherethedrivercodeisnotautomaticallyloaded,modulescanbeinstalledandremovedfromthesystemontheflyusingthefollowingcommands(asroot):
modprobeanintelligentmoduleloaderrmmod toremovethemodulelsmod togetalistofcurrentlyinstalledmodules
Forexample,togetUSBsupportforaUSBthumbdriveonsomesystems,youmayneedtoloadacoupleofmodules.WiththeUSBdevicepluggedin,wecaninstalltheneededmodules(ehci_hcdformanyUSB2.0controllers,andusbstorageforthestorageinterface)with:
BarryJ.Grundy 25
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
modprobeehci_hcd(dependingonyourUSBcontroller)modprobeusbstorage
Notethatwhilethemoduleisnamedwitha.koextension,wedonotincludethatintheinsertioncommand.
Weonlyneedtoinstallthesedriversifthekerneldoesnothavethesupportcompiledin,orifthemoduleisnotloadedautomatically.NotethatonastockSlackware12.1system,thesupportforUSBiscompiledintothekernelandloadingmodulesisnotneeded.
Sohowwouldyouknowifyouneededtoloadmodules?Tocheckandseeifthemodulesarealreadyloaded,youcanusethelsmodcommandtolookforthedrivername.Usegreptoshowonlylineswithspecifictext.Wewillcovergrepinfarmoredetaillateron.
Inthiscase,thecommandreturnsnothing.Thismightindicatethatthedriverisnotloadedoritmightindicatedthatthedriverisnotamodule,butiscompileddirectlyintothekernel.Icancheckthisusingthedmesgcommandandgrepaswell.Thedmesgcommandreplaysthesystemstartupmessages
TheoutputoftheabovecommandsshowsusthatsupportfortheUSB2.0hostcontrollerisalreadyloaded(asshowninthedmesgoutput),butnotasamodule(asshowninthelsmodoutput).
Whilethissubjectcanbeabitdauntingatfirst,justkeepinmindthatanattacheddevicemayormaynotworkonagivensystemuntilthepropermoduleisinstalled.Knowinghowtocheckforexistingsupport,andhowtoinsertamoduleifneededisimportant.
BarryJ.Grundy 26
root@rock:~# lsmod | grep ehci_hcd root@rock:~#
root@rock:~# dmesg | grep ehci_hcd ehci_hcd 0000:00:1d.7: EHCI Host Controller ehci_hcd 0000:00:1d.7: new USB bus registered, assigned bus number 1 ehci_hcd 0000:00:1d.7: debug port 1 ehci_hcd 0000:00:1d.7: irq 20, io mem 0x80004000 ehci_hcd 0000:00:1d.7: USB 2.0 started, EHCI 1.00, driver 10 Dec 2004
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
DeviceRecognition
AnothercommonquestionariseswhenauserplugsadeviceinaLinuxboxandreceivesnofeedbackonhow(orevenif)thedevicewasrecognized.Oneeasymethodfordetermininghowandifaninserteddeviceisregisteredistousethepreviouslyintroduceddmesgcommand.
Forexample,ifIplugaUSBthumbdriveintoaLinuxcomputer,andthecomputerisrunningaHALenableddesktop,Imaywellseeaniconappearonthedesktopforthedisk.Imightevenseeafolderopenonthedesktopallowingmetoaccessthefilesautomatically.Obviously,onasystemweareusingasaforensicplatform,wemaywanttominimizethissortofbehavior(moreonthatlater...).
Sowhenthereisnovisiblefeedback,wheredowelooktoseewhatdevicenodewasassignedtoourdisk(/dev/sda,/dev/sdb,etc.)?Howdoweknowifitwasevendetected?Again,thisquestionisparticularlypertinenttotheforensicexaminer,sincewewilllikelyconfigureoursystemtobealittlelesshelpful.
Plugginginthethumbdriveandrunningthedmesgcommandprovidesmewiththefollowingoutput:
Theimportantinformationisinbold.Notethatthisparticularthumbdrive(aSanDiskU3)providestwoparts,thestoragevolumewithasinglepartition(/dev/sda1),andanemulatedCDROMdevicewhichwasdetectedas/dev/sr0.SCSICDROMdevicesarerecognizedassrxorscdx.
BarryJ.Grundy 27
root@rock:~# dmesg
scsi 2:0:0:0: Direct-Access SanDisk U3 Titanium 2.16 PQ: 0 ANSI: 2 sd 2:0:0:0: [sda] 1994385 512-byte hardware sectors (1021 MB) sd 2:0:0:0: [sda] Write Protect is off sd 2:0:0:0: [sda] Mode Sense: 03 00 00 00 sd 2:0:0:0: [sda] Assuming drive cache: write through sd 2:0:0:0: [sda] 1994385 512-byte hardware sectors (1021 MB) sd 2:0:0:0: [sda] Write Protect is off sda: sda1 sd 2:0:0:0: [sda] Attached SCSI removable disk scsi 2:0:0:1: CD-ROM SanDisk U3 Titanium 2.16 PQ: 0 ANSI: 2 sr0: scsi3-mmc drive: 8x/40x writer xa/form2 cdda tray sr 2:0:0:1: Attached scsi CD-ROM sr0 usb-storage: device scan complete
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
TheFileSystem
LiketheWindowsfilesystem,theLinuxfilesystemishierarchical.the"top"directoryisreferredtoas"theroot"directoryandisrepresentedby"/".Notethatthefollowingisnotacompletelist,butprovidesanintroductiontosomeimportantdirectories.
/(rootnottobeconfusedwith/root)|_bin| |_ls,chmod,sort,date,cp,dd|_boot| |_vmlinuz,system.map|_dev| |_hd*,tty*,sd*,fd*,cdrom|_etc| |_X11| |_XF86Config,X| |_lilo.conf,fstab,inittab,modules.conf|_home| |_barry(yourusersnameisinhere)| |_.bashrc,.bash_profile,personalfiles| |_otherusers|_mnt| |_cdrom| |_floppy| |_othertemporarymountpoints|_media| |_cdrom0| |_dvd0| |_otherstandardmediamountpoints|_root| |_
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Notethatthedirectoryslash(/)isoppositewhatmostpeopleareusedtoinWindows(\).
Directorycontentscaninclude:
/bin Commoncommands. /boot Filesneededatboottime,includingthekernelimagespointed
tobyLILO(theLInuxLOader)orGRUB. /dev Filesthatrepresentdevicesonthesystem.Theseareactually
interfacefilestoallowthekerneltointeractwiththehardwareandthefilesystem.
/etc Administrativeconfigurationfilesandscripts. /homeDirectoriesforeachuseronthesystem.Eachuserdirectory
canbeextendedbytherespectiveuserandwillcontaintheirpersonalfilesaswellasuserspecificconfigurationfiles(forXpreferences,etc.).
/mnt Providestemporarymountpointsforexternal,remoteandremovablefilesystems.
/mediaProvidesastandardplaceforusersandapplicationstomountremovablemedia.PartofthenewFileSystemHierarchyStandard.
/root Therootuser'shomedirectory. /sbin Administrativecommandsandprocesscontroldaemons. /usr Containslocalsoftware,libraries,games,etc. /var Logsandothervariablefilewillbefoundhere.
Anotherimportantconceptwhenbrowsingthefilesystemisthatofrelativeversusexplicitpaths.Whileconfusingatfirst,practicewillmaketheideasecondnature.Justrememberthatwhenyouprovideapathnametoacommandorfile,includinga/infrontmeansanexplicitpath,andwilldefinethelocationstartingfromthetopleveldirectory(root).Beginningapathnamewithouta/indicatesthatyourpathstartsinthecurrentdirectoryandisreferredtoasarelativepath.Moreonthislater.
OneveryusefulresourceforthissubjectistheFileSystemHierarchyStandard(FHS),thepurposeofwhichistoprovideareferencefordevelopersandsystemadministratorsonfileanddirectoryplacement.Readmoreaboutitathttp://www.pathname.com/fhs/
BarryJ.Grundy 29
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
III.TheLinuxBootSequence(Simplified)
BootingthekernelThefirststepinthe(simplified)bootupsequenceforLinuxisloading
thekernel.Thekernelimageisusuallycontainedinthe/bootdirectory.Itcangobyseveraldifferentnames
bzImage vmlinuz
Sometimesthekernelimagewillspecifythekernelversioncontainedintheimage,i.e.bzImage2.6.24.Veryoftenthereisasoftlink(likeashortcut)tothemostcurrentkernelimageinthe/bootdirectory.Itisnormallythissoftlinkthatisreferencedbythebootloader,LILO(orGRUB).
Thebootloaderspecifiestherootdevice(bootdrive),alongwiththekernelversiontobebooted.ForLILO,thisisallcontrolledbythefile/etc/lilo.conf.Eachimage=sectionrepresentsachoiceinthebootscreen.
Thisisanexampleofalilo.conffile5:
InthecaseofGRUB,eachsectionbeginningwithtitleisachoiceforbootingandcanincludeLinuxaswellasotheroperatingsystems,includingWindows.Noteagainthereferencetothekernellocation,andtherootdevice(wheretherootfilesystemislocated).GRUBstartsitscountingfrom0,sowhereyouseehd0,0itisreferringtothefirstIDEdisk,followedbythefirstpartition.SeetheinfoormanpageforGRUB.
5Theactual/etc/lilo.conffileonyoursystemwillbemuchmoreclutteredwithcomments(linesstartingwitha#.Commentshavebeenremovedfromthisexampleforreadability.
BarryJ.Grundy
root@rock:~# cat /etc/lilo.confboot=/dev/hdamap=/boot/mapinstall=/boot/boot.bprompt timeout=50image=/boot/bzImage < - Defines the Linux kernel to boot label=linux < - Menu choice in LILO root=/dev/hda3 < - Where the root file system is found
read-onlyother=/dev/hda1 < - Defines alternate boot option label=WinXP < - Menu choice in LILO table=/dev/hda
30
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
InthefollowingGRUBexample,therewillbetwodifferentLinuxkernelchoicesofferedinthebootmenu.Theyallusethesamerootfilesystem,butdifferinthekernelimageloadedfromthe/bootpartition.
Oncethesystemhasfinishedbooting,youcanseethekernelmessagesthatflypastthescreenduringthebootingprocesswiththecommanddmesg.Wediscussedthiscommandalittlewhenwetalkedaboutdevicerecognitionearlier.Aspreviouslymentioned,thiscommandcanbeusedtofindhardwareproblems,ortoseehowaremovable(orsuspect)drivewasdetected,includingitsgeometry,etc.Theoutputcanbepipedthroughapagingviewertomakeiteasiertosee(inthiscase,dmesgispipedthroughlessonmySlackwaresystem.):
BarryJ.Grundy
root@rock:~# cat /boot/grub/grub.confboot=/dev/hdadefault=0timeout=10splashimage=(hd0,0)/boot/grub/splash.xpm.gztitle Linux (2.6.24)
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
InitializationThenextstepinthebootsequencestartswiththeprogram/sbin/init.
Thisprogramreallyhastwofunctions:
initializetherunlevelandstartupscripts terminalprocesscontrol(respawnterminals)
Inshort,theinitprogramiscontrolledbythefile/etc/inittab.Itisthisfilethatcontrolsyourrunlevelandtheglobalstartupscriptsforthesystem.
RunlevelTherunlevelissimplyadescriptionofthesystemstate.Forour
purposes,itiseasiesttosaythat(forSlackware,atleastothersystems,likeFedoraCorewilldiffer):
runlevel0=shutdown runlevel1=singleusermode runlevel3=fullmultiusermode/textlogin runlevel4=fullmultiuser/X11/graphicallogin6
runlevel6=reboot
Inthefile/etc/inittabyouwillseealinesimilarto:
id:3:initdefault:
Itisherethatthedefaultrunlevelforthesystemisset.Ifyouwantatextlogin(whichIwouldstronglysuggest),settheabovevalueto3.ThisisthedefaultforSlackware.Withthisdefaultrunlevel,youusestartxtogettotheXWindowGUIsystem.Ifyouwantagraphicallogin,youwouldedittheabovelinetocontaina4.
6Thisislargelydistributiondependent.InFedoraCore,runlevel5providesaGUIlogin.InSlackware,it'srunlevel4.
BarryJ.Grundy
root@rock:~#less /etc/inittab## /etc/inittab: This file describes how the INIT process should set up# the system in a certain run-level.## Default runlevel.id:3:initdefault:
# System initialization, (runs when system boots).si:S:sysinit:/etc/rc.d/rc.S
32
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
GlobalStartupScripts
Afterthedefaultrunlevelhasbeenset,init(via/etc/inittab)thenrunsthefollowingscripts:
/etc/rc.d/rc.Shandlessysteminitialization,filesystemmountandcheck,PNPdevices,etc.
/etc/rc.d/rc.XwhereXistherunlevelpassedasanargumentbyinit.Inthecaseofmulituser(nonGUI)logins(runlevel2or3),thisisrc.M.Thisscriptthencallsotherstartupscripts(variousservices,etc.)bycheckingtoseeiftheyareexecutable.
/etc/rc.d/rc.localcalledfromwithinthespecificrunlevelscripts,rc.localisageneralpurposescriptthatcanbeeditedtoincludecommandsthatyouwantstartedatbootup(sortoflikeautoexec.bat).
/etc/rc.d/rc.local_shutdownThisfileshouldbeusedtostopanyservicesthatwerestartedinrc.local.
ServiceStartupScripts
Oncetheglobalscriptsrun,thereareservicescriptsinthe/etc/rc.d/directorythatarecalledbythevariousrunlevelscripts,asdescribedabove,dependingonwhetherthescriptsthemselveshaveexecutablepermissions.Thismeansthatwecancontroltheboottimeinitializationofaservicebychangingit'sexecutablestatus.Moreonhowtodothislater.Someexamplesofservicescriptsare:
/etc/rc.d/rc.inet1handlesnetworkinterfaceinitialization /etc/rc.d/rc.inet2handlesnetworkservicesstart.Thisscript
organizesthevariousnetworkservicesscripts,andensuresthattheyarestartedintheproperorder.
/etc/rc.d/rc.pcmciastartsPCcardservices. /etc/rc.d/rc.sendmailstartsthemailserver.Controlledbyrc.inet2. /etc/rc.d/rc.sshdstartstheOpenSSHserver.Alsocontrolledby
rc.inet2. /etc/rc.d/rc.messagebusstartsdbusmessagingservices. /etc/rc.d/rc.haldstartshardwareabstractionlayerdaemonservices. /etc/rc.d/rc.udevpopulatesthe/devdirectorywithdevicenodes,
scansfordevices,loadstheappropriatekernelmodules,andconfiguresthedevices.
Havealookatthe/etc/rc.ddirectoryformoreexamples.NotethatinastandardSlackwareinstall,youdirectorylistingwillshowexecutablescriptsasgreenincolor(intheterminal)andfollowedbyanasterisk(*).
BarryJ.Grundy 33
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Again,thisisSlackwarespecific.Otherdistributionsdiffer(somediffergreatly!),buttheconceptremainsconsistent.Onceyoubecomefamiliarwiththeprocess,itwillmakesense.TheabilitytomanipulatestartupscriptsisanimportantstepinyourLinuxlearningprocess.
Bashbash(BourneAgainShell)isthedefaultcommandshellformostLinux
distros.ItistheprogramthatsetstheenvironmentforyourcommandlineexperienceinLinux.ThefunctionalequivalentinDOSwouldbecommand.com.Thereareanumberofshellsavailable,butwewillcoverbashhere.
ThereareactuallyquiteafewfilesthatcanbeusedtocustomizeausersLinuxexperience.Herearesomethatwillgetyoustarted.
/etc/profileThisistheglobalbashinitializationfileforinteractiveloginshells.Editsmadetothisfilewillbeappliedtoallbashshellusers.Thisfilesetsthestandardsystempath,theformatofthecommandpromptandotherenvironmentvariables.
Notethatchangesmadetothisfilemaybelostduringupgrades.Anothermethodistocreateanexecutablefileinthedirectory/etc/profile.d.Executablefilesplacedinthatdirectoryarerunattheendof/etc/profile.
/home/$USER/.bash_profile7Thisscriptislocatedineachusershomedirectory($USER)andcanbeeditedbytheuser,allowinghimorhertocustomizetheirownenvironment.Itisinthisfilethatyoucanaddaliasestochangethewaycommandsrespond.Notethatthedotinfrontofthefilenamemakesitahiddenfile.
/home/$USER/.bash_historyThisisanexceedinglyusefulfileforanumberofreasons.Itstoresasetnumberofcommandsthathavealreadybeentypedatthecommandline(defaultis500).Theseareaccessiblethrougheitherreverseshellsorsimplybyusingtheuparrowonthekeyboardtoscrollthroughthehistoryofalreadyusedcommands.Insteadofretypingacommandoverandoveragain,youcanaccessitfromthehistory.
Fromtheperspectiveofaforensicexaminer,ifyouareexaminingaLinuxsystem,youcanaccesseachuser's(don'tforgetroot).bash_historyfiletoseewhatcommandswererunfromthecommandline.Rememberthattheleading.inthefilenamesignifiesthatitisahiddenfile.
7Inbashwedefinethecontentsofavariablewithadollarsign.$USERisavariablethatrepresentsthenameofthecurrentuser.Toseethecontentsofshellindividualvariables,useecho$VARNAME.
BarryJ.Grundy 34
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Keepinmindthatthedefaultvaluesfor./bash_history(numberofentries,historyfilename,etc.)canbecontrolledbytheuser(s).Readmanbashformoredetailedinfo.
Thebashstartupsequenceisactuallymorecomplicatedthanthis,butthisshouldgiveyouastartingpoint.Inadditiontotheabovefiles,checkout/home/$USER/.bashrc.Themanpageforbashisaninteresting(andlong)read,andwilldescribesomeofthecustomizationoptions.Inaddition,readingthemanpagewillgiveagoodintroductiontotheprogrammingpowerprovidedbybashscripting.Whenyoureadthemanpage,youwillwanttoconcentrateontheINVOCATIONsectionforhowtheshellisusedandbasicprogrammingsyntax.
BarryJ.Grundy 35
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
IV.LinuxCommands
LinuxattheterminalDirectorylisting=
ls listfiles. lsF classifiesfilesanddirectories. lsa showallfiles(includinghidden). lsl detailedfilelist(longview).
lslh detailedlist(long,withhumanreadablefilesizes).
Wewilldiscussthemeaningofeachcolumninthelsloutputlaterinthisdocument.
Changedirectory=cd changedirectoryto.cd (byitself)shortcutbacktoyourhomedirectory.cd.. uponedirectory(notethespacebetweencdand...cd backtothelastdirectoryyouwerein.cd/dirname changetothespecifieddirectory.Notethatthe
additionofthe/infrontofthedirectoryimpliesanexplicit(absolute)path,notarelativeone.Withpractice,thiswillmakemoresense.
cddirname changetothespecifieddirectory.Thelackofa/infrontofthedirectorynameimpliesarelativepathmeaningdirnameisasubfolderofourcurrentdirectory.
Copycpcpsourcefiledestinationfile copyafile.
CleartheTerminalclear clearstheterminalscreenofalltextandreturnsa
prompt.
BarryJ.Grundy
root@rock:~# ls -ltotal 3984drwxr-xr-x 3 root root 4096 Feb 15 2004 Backup_configdrwxr-xr-x 2 root root 4096 Jun 16 16:10 Desktopdrwx------ 2 root root 4096 Jan 27 2004 Documentsdrwxr-xr-x 3 root root 4096 Aug 10 14:26 VMware-rw-r--r-- 1 root root 175 Sep 26 2003 investigator.bjg-rwxrwx--- 1 root root 2740 Dec 15 2003 k.key-rwxr-xr-x 1 root root 107012 Nov 29 2003 scanModem
36
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Moveafileordirectorymvmvsourcefiledestinationfile moveorrenameafile.
Deleteafileordirectoryrmrmfilename deletesafile.rmr recursivelydeletesallfilesin
directoriesandsubdirectories.rmdir removedirectories.rmf donotpromptforfileremoval
Displaycommandhelpmanmancommand displaysa"manual"pageforthespecified
command.Use"q"toquit.VERYUSEFUL.
Ifyouwanttofindinformationaboutacommandcalledfind,includingitsusage,options,output,etc.,thenyouwouldusethemanpageforthecommandfind:
Createadirectorymkdirmkdirdirectoryname createsadirectory.Again,rememberthe
differencebetweenarelativeandexplicitpathhere.
BarryJ.Grundy
root@rock:~# man find FIND(1L) FIND(1L)
NAME find - search for files in a directory hierarchy
SYNOPSIS find [path...] [expression]
DESCRIPTION This manual page documents the GNU version of find. find searches the directory tree rooted at each given file name by evaluating the given expression from left to right, according to the rules of precedence (see section OPERATORS), until the outcome is known (the left hand side is false for and operations, true for or), at which point find moves on to the next file name.
37
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Displaythecontentsofafilecatormoreorlesscatfilename Thesimplestformoffiledisplay,catstreamsthe
contentsofafiletothestandardoutput(usuallytheterminal).catactuallystandsforconcatenate.Thiscommandcanalsobeusedtoaddfilestogether(usefullateron).Forexample:
catfile1file2>file3
Takesthecontentsoffile1andfile2andstreamstheoutputwhichisredirectedtoasinglefile,file3.Thiseffectivelyaddsthetwofilesintoonesinglefile(theoriginalfilesremainunchanged).
morefilename displaysthecontentsofafileonepageatatime.UnlikeitsDOScounterpart,Linuxmoretakesfilenamesasdirectarguments.
lessfilename lessisabettermore.Supportsscrollinginbothdirections,andanumberofotherpowerfulfeatures.lessisactuallytheGNUversionofmore,andonmanysystemsyouwillfindthatmoreisactuallyalinktoless.Useqtoexitalesssession.
Notethatyoucanstringtogetherseveraloptions.Forexample:
lsaF
..willgiveyoualistofallfiles(a),includinghiddenfiles,andfile/directoryclassification(F,whichshows"/"fordirectories,"*"forexecutables,and"@"forlinks).
BarryJ.Grundy
bgrundy@rock:~/workdir $ ls -aF./ .lntrc arlist dir1/ doc1@ rmscript* workfiles/../ .tschr cpscript* dir2/ mystuff/ topsc@
38
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Additionalusefulcommands
grep searchforpatterns.
greppatternfilename
grepwilllookforoccurrencesofpatternwithinthefilefilename.grepisanextremelypowerfultool.Ithashundredsofusesgiventhelargenumberofoptionsitsupports.Checkthemanpageformoredetails.Wewillusegrepinourforensicexerciseslateron.
find allowsyoutosearchforafile(wildcardsactuallyexpressionspermitted).Tolookforyourfstabfile,youmighttry:
Thismeans"find,startingintherootdirectory(/),byname,fstabandprinttheresultstothescreen".findalsoallowsyoutosearchbyfiletypeorevenfiletimes(actuallyinodetimes).Thepowerofthefindcommandshouldnotbeunderestimated.Moreonthistoollater.
pwd printsthepresentworkingdirectorytothescreen.Thefollowingexampleshowsthatwearecurrentlyinthedirectory/root.
file categorizesfilesbasedonwhattheycontain,regardlessofthename(orextension,ifoneexists).Comparesthefileheadertothe"magic"fileinanattempttoIDthefiletype.Forexample:
ps listofcurrentprocesses.GivestheprocessIDnumber(PID),andtheterminalonwhichtheprocessisrunning.
psax showsallprocesses(a),andallprocesseswithoutanassociatedterminal(x).Notethelackofadashinfrontoftheoptions.Seethemanpageforinfoonthisdeparturefromourpreviousconvention.
BarryJ.Grundy
root@rock:~# find / -name fstab -print/etc/fstab
root@rock:~# pwd/root
root@rock:~# file snapshot01.gifsnapshot01.gif: GIF image data, version 87a, 800 x 600
39
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
strings printsoutthereadablecharactersfromafile.Willprintoutstringsthatareatleastfourcharacterslong(bydefault)fromafile.Usefulforlookingatdatafileswithouttheoriginatingprogram,andsearchingexecutablesforusefulstrings,etc.Moreonthisforensicallyusefulcommandlater.
chmod changesthepermissionsonafile.(Seethesectioninthisdocumentonpermissions).
chown changestheownerofafileinmuchthesamewayaschmodchangesthepermissions.
shutdown thiscommandMUSTbeusedtoshutdownthemachineandcleanlyexitthesystem.ThisisnotDOS.Turningoffthemachineatthepromptisnotallowedandcandamageyourfilesystem(insomecases)8.Youcanrunseveraldifferentoptionshere(checkthemanpageformanymore):
shutdownrnow willrebootthesystemnow(changetorunlevel6).
shutdownhnow willhaltthesystem.Readyforpowerdown(changetorunlevel0).
8ThishasbecomemuchlessofanissuewiththenewerjournaledfilesystemsusedbyLinux.
BarryJ.Grundy
root@rock:~# ps ax PID TTY STAT TIME COMMAND 1 ? S 0:00 init [3] 2 ? SN 0:00 [ksoftirqd/0] 3 ? S< 0:00 [events/0] 4 ? S< 0:00 [khelper]... 1966 ? Ss 0:00 /usr/sbin/syslogd -m 0 1973 ? Ss 0:00 /usr/sbin/klogd -c 3 -2 2009 ? Ss 0:00 /usr/sbin/acpid -c /etc/acpi/events 2109 ? Ss 0:00 /usr/sbin/cupsd
40
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
FilePermissionsFilesinLinuxhavecertainspecifiedfilepermissions.Thesepermissions
canbeviewedbyrunningthelslcommandonadirectoryoronaparticularfile.Forexample:
Ifyoulookcloseatthefirst10characters,youhaveadash()followedby9morecharacters.Thefirstcharacterdescribesthetypeoffile.Adash()indicatesaregularfile.A"d"wouldindicateadirectory,and"b"aspecialblockdevice,etc.
Firstcharacteroflsloutput:- =regularfiled=directoryb=blockdevice(SCSIorIDEdisk)c=characterdevice(serialport)l=link(pointstoanotherfileordirectory)
Thenext9charactersindicatethefilepermissions.Thesearegiveningroupsofthree:
Owner Group Othersrwx rwx rwx
Thecharactersindicater= readw= writex= execute
Sofortheabovemyfilewehaverwxrxrx
Thisgivesthefileownerread,writeandexecutepermissions(rwx),butrestrictsothermembersoftheownersgroupandusersoutsidethatgrouptoonlyreadandexecutethefile(rx).Writeaccessisdeniedassymbolizedbythe.
Nowbacktothechmodcommand.Thereareanumberofwaystousethiscommand,includingexplicitlyassigningr,w,orxtothefile.Wewillcovertheoctalmethodherebecausethesyntaxiseasiesttoremember(andIfinditmostflexible).Inthismethod,thesyntaxisasfollows
BarryJ.Grundy
root@rock:~# ls -l myfile-rwxr-xr-x 1 root root 1643 Jan 19 23:23 myfile
41
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
chmodoctalfilename
octalisathreedigitnumericalvalueinwhichthefirstdigitrepresentstheowner,theseconddigitrepresentsthegroup,andthethirddigitrepresentsothersoutsidetheowner'sgroup.Eachdigitiscalculatedbyassigningavaluetoeachpermission:
read(r) =4write(w) =2execute(x) =1
Forexample,thefilefilenameinouroriginalexamplehasanoctal
permissionvalueof755(rwx=7,rx=5,rx=5).Ifyouwantedtochangethefilesothattheownerandthegrouphadread,writeandexecutepermissions,butotherswouldonlybeallowedtoreadthefile,youwouldissuethecommand:
chmod774filename
4(r)+2(w)+1(x)=74(r)+2(w)+1(x)=74(r)+0()+0()=4
Anewlonglistofthefilewouldshow:
(rwx=7,rwx=7,r=4)
Letuslookatapracticalexampleofchangingpermissions.Earlierinthisdocumentwediscussedthesysteminitializationprocess.Partofthatprocessistheexecutionofrcscriptsthathandlesystemservices.Recallthatthefile/etc/inittabinvokestheappropriaterunlevelscriptsinthe/etc/rc.d/directory.Inturn,thesescriptstestvariousservicescriptsinthe/etc/rc.d/directoryforexecutablepermissions.Ifthescriptisexecutable,itisinvokedandtheserviceisstarted.Thetestinsidetherc.M(mulituserinitscript)forthePCMCIAservicelookslikethis:
BarryJ.Grundy
root@rock:~# chmod 774 myfileroot@rock:~# ls -l myfile-rwxrwxr-- 1 root root 1643 Jan 19 23:23 myfile
42
root@rock:~# cat /etc/rc.d/rc.M...if [ -x /etc/rc.d/rc.pcmcia ]; then. /etc/rc.d/rc.pcmcia start
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thecodeshownaboveisanif/thenstatementwherethebracketssignifythetestandthexchecksforexecutablepermissions.Soitwouldread:
ifthefile/etc/rc.d/rc.pcmciaisexecutable,thenexecutethecommand/etc/rc.d/rc.pcmciastart.
Notethatthercscriptscanhaveeitherstart,stoporrestartpassedasargumentsinmostcases.
Alookatthepermissionsof/etc/rc.d/rc.pcmciashowsthatitisnotexecutable,andsowillnotstartatsysteminitialization:
TochangetheexecutablepermissionstoallowPCMCIAservicestostartatboottime,Iexecutethefollowing:
ThedirectorylistingshowsthatIhavechangedtheexecutablestatusofthescript.Dependingonyourcolorterminalsettings,youmayalsoseethecolorofthefilechangeandanasteriskappendedtothename.
Youcanusethistechniquetogothroughyour/etc/rc.d/directorytoturnoffthoseservicesthatyoudonotneed.SinceI'mnotrunningalaptop,anddon'tneedPCMCIAservicesorwirelesssupport:
Sincewearerunninga2.6kernelonSlackware,andwewantaforensicallysoundsysteminassimpleamanneraspossiblehere,youshoulddothesametotherc.hald(HAL)andrc.messagebus(dbus)servicescripts.Thiswillpreventsystemmessagesfromaccessingandautomountingstoragedeviceswhentheyaredetected.ThisdoesNOTpreventthemfrombeingdetected...Justfrombeingmountedand/oropened(normallybyvirtueofdesktopsoftware).
Thechangeswilltakeeffectnexttimeyouboot.
BarryJ.Grundy 43
root@rock:~# ls -l /etc/rc.d/rc.pcmcia-rw-r--r-- 1 root root 5090 2006-08-16 16:48 /etc/rc.d/rc.pcmcia
root@rock:~# chmod 755 /etc/rc.d/rc.pcmciaroot@rock:~# ls -l /etc/rc.d/rc.pcmcia-rwxr-xr-x 1 root root 5090 2006-08-16 16:48 /etc/rc.d/rc.pcmcia*
root@rock:~# chmod 644 /etc/rc.d/rc.pcmciaroot@rock:~# chmod 644 /etc/rc.d/rc.wireless
root@rock:~# chmod 644 /etc/rc.d/rc.haldroot@rock:~# chmod 644 /etc/rc.d/rc.messagebus
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
MetacharactersTheLinuxcommandline(actuallythebashshellinourcase)also
supportswildcards(metacharacters) *formultiplecharacters(including"."). ?forsinglecharacters. []forgroupsofcharactersorarangeofcharactersornumbers.
Thisisacomplicatedandverypowerfulsubject,andwillrequirefurtherreadingRefertoregularexpressionsinyourfavoriteLinuxtext,alongwithglobbingorshellexpansion.Thereareimportantdifferencesthatcanconfuseabeginner,sodontgetdiscouragedbyconfusionoverwhat*meansindifferentsituations.
CommandHints1.Linuxhasahistorylistofpreviouslyusedcommands(storedinthefile
named.bash_historyinyourhomedirectory).Usethekeyboardarrowstoscrollthroughcommandsyou'vealreadytyped.
2.Linuxsupportscommandlineediting.Youcanusedthecursortonavigateapreviouscommandandcorrecterrors.
3.LinuxcommandsandfilenamesareCASESENSITIVE.4.Learnoutputredirectionforstdoutandstderr(>and2>).Moreon
thislater.5.Linuxuses/fordirectories,DOSuses\.6.Linuxusesforcommandoptions,DOSuses/.7.Useqtoquitfromlessormansessions.8.Toexecutecommandsinthecurrentdirectory(ifthecurrentdirectoryis
notinyourPATH),usethesyntax"./command".ThistellsLinuxtolookinthepresentdirectoryforthecommand.Unlessitisexplicitlyspecified,thecurrentdirectoryisNOTpartofthenormaluserpath,unlikeDOS.
PipesandRedirectionLikeDOS,Linuxallowsyoutoredirecttheoutputofacommandfrom
thestandardoutput(usuallythedisplayor"console")toanotherdeviceorfile.Thisisusefulfortaskslikecreatinganoutputfilethatcontainsalistoffilesonamountedvolume,orinadirectory.Forexample:
Theabovecommandwouldoutputalonglistofallthefilesinthecurrentdirectory.Insteadofoutputtingthelisttotheconsole,anewfilecalled"filelist.txt"willbecreatedthatwillcontainthelist.Ifthefile"filelist.txt"
BarryJ.Grundy
root@rock:~# ls -al > filelist.txt
44
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
alreadyexisted,thenitwillbeoverwritten.Usethefollowingcommandtoappendtheoutputofthecommandtotheexistingfile,insteadofoverwritingit:
AnotherusefultoolsimilartothatavailableonDOSisthecommandpipe.Thecommandpipetakestheoutputofonecommandand"pipes"itstraighttotheinputofanothercommand.Thisisanextremelypowerfultoolforthecommandline.Lookatthefollowingprocesslist(partialoutputshown):
WhatifallyouwantedtoseewerethoseprocessesID'sthatindicatedabashshell?Youcould"pipe"theoutputofpstotheinputofgrep,specifying"bash"asthepatternforgreptosearch.Theresultwouldgiveyouonlythoselinesoftheoutputfrompsthatcontainedthepattern"bash".
Alittlelateronwewillcoverusingpipesonthecommandlinetohelpwithanalysis.
StringingmultiplepowerfulcommandstogetherisonethemostusefulandpowerfultechniquesprovidedbyLinuxforforensicanalysis.ThisisoneofthesinglemostimportantconceptsyouwillwanttolearnifyoudecidetotakeonLinuxasaforensictool.Withasinglecommandlinebuiltfrommultiple
BarryJ.Grundy
root@rock:~# ls -al >> filelist.txt
root@rock:~# ps ax PID TTY STAT TIME COMMAND 1 ? S 0:00 init [3] 2 ? SN 0:00 [ksoftirqd/0] 3 ? S< 0:00 [events/0] 4 ? S< 0:00 [khelper] 5 ? S< 0:00 [kacpid] 26 ? S< 0:00 [kblockd/0] 36 ? S< 0:00 [vesafb] 45 ? S 0:00 [pdflush] 46 ? S 0:00 [pdflush] 48 ? S< 0:00 [aio/0] 2490 tty1 S 0:00 bash 3287 pts/0 Ss 0:00 -bash 3325 pts/0 R+ 0:00 ps ax
root@rock:~# ps ax | grep bash2490 tty1 S 0:00 bash3287 pts/0 Ss 0:00 -bash
45
-
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
commandsandpipes,youcanuseseveralutilitiesandprogramstoboildownananalysisveryquickly.
TheSuperUser
IfLinuxgivesyouanerrormessage"Permissiondenied",theninalllikelihoodyouneedtobe"root"toexecutethecommandored
top related