|
|
Linux Forensics - Week 1
March 19, 2004
This is the first in a series of Agile Risk Management LLC Linux Forensics articles. We plan on trying to release one brief article each week over the next month. Each article will outline basic linux forensics techniques, tools, and procedures. We welcome your suggestions and comments, and hope you enjoy the material.
Multiple Session CDRs
Recordable CD media (CDR,CDRW) discs represent an excellent source of potential evidentiary data. Typical CDR uses, such as backup and large file delivery create a greater possibility of the obtained disc(s) containing valuable information.
In our example we were given CDR media discovered during the cleanout of a newly leased office building. Using specialized linux filesystems and standard commands we were able to access historical session data and past versions of documents and reports. While the data discovered on the CDRs was rather mundane, this brings up an interesting question, who is lliabile for customer data once an organization goes out of business?
Readcd
Readcd is part of the cdrecord or cdrtools package, this tool should be installed by default on most major linux distributions, however it is also available here. In our example, we use readcd to provide the number of actual sessions on the CDR.
[mshannon@silentpower mshannon]$ readcd dev=0,0,0 -fulltoc
Read speed: 9152 kB/s (CD 52x, DVD 6x).
Write speed: 9152 kB/s (CD 52x, DVD 6x).
TOC len: 169. First Session: 1 Last Session: 3.
01 14 00 A0 00 00 00 00 01 00 00
01 14 00 A1 00 00 00 00 01 00 00
01 14 00 A2 00 00 00 00 00 0A 00
01 14 00 01 00 00 00 00 00 02 00
01 54 00 B0 02 28 00 02 4F 3B 47
01 54 00 C0 A0 00 30 00 61 1A 42
02 14 00 A0 00 00 00 00 02 00 00
02 14 00 A1 00 00 00 00 02 00 00
02 14 00 A2 00 00 00 00 08 1D 37
02 14 00 02 00 00 00 00 02 2A 00
02 54 00 B0 09 3B 37 01 4F 3B 47
03 14 00 A0 00 00 00 00 03 00 00
03 14 00 A1 00 00 00 00 03 00 00
03 14 00 A2 00 00 00 00 0A 09 37
03 14 00 03 00 00 00 00 0A 01 37
Lead out 1: 600
Lead out 2: 38080
Lead out 3: 45580
[mshannon@silentpower mshannon]$
Based on the above information we know the CDR contains 3 sessions.
Isoinfo
Isoinfo is also part of the cdrecord or cdrtools package, this tool should be installed by default on most major linux distributions, however it is also available at the above address. In our example, we are using isoinfo to provide information about the burning software and CDR media.
mshannon@silentpower mshannon]$ isoinfo -d -i=/dev/cdrom
CD-ROM is in ISO 9660 format
System id:
Volume id: DISK1
Volume set id:
Publisher id:
Data preparer id:
Application id: NERO___BURNING_ROM
Copyright File id:
Abstract File id:
Bibliographic File id:
Volume set size is: 1
Volume set sequence number is: 1
Logical block size is: 2048
Volume size is: 600
Joliet with UCS level 3 found
NO Rock Ridge present
[mshannon@silentpower mshannon]$
Based on the above information the most recent session was most likely mastered with NERO BURNING ROM.
CDFS
CDFS is a linux filesystem which provides access to each CDR session as separate iso images. CDFS requires root access to buid, install, and use, plus the Linux workstation must have kernel sources installed. CDFS is available here. In our example we accessed the CDR using the iso9660 and cdfs filesystems. The iso9660 filesystem only accessed the most recent iso image on the CDR media. Alternatively, CDFS provided access to each session as individual iso9660 images. We then mounted the earliest session as a loopback device and listed the contents.
[root@silentpower mnt]# mount /dev/cdrom /mnt/cdrom/
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@silentpower mnt]# cd cdrom
[root@silentpower cdrom]# ls
TechnicalConsultingResume_JGP.doc
[root@silentpower cdrom]# cd ..
[root@silentpower mnt]# umount /mnt/cdrom
[root@silentpower mnt]# mount -t cdfs /dev/cdrom /mnt/cdfs
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@silentpower mnt]# cd cdfs
[root@silentpower cdfs]# ls
3.1.Apple_partition_map sessions_1-1.iso sessions_1-3.iso
3.2.Apple_HFS sessions_1-2.iso sessions_1-4.iso
[root@silentpower cdfs]# mkdir /mnt/loop1
[root@silentpower cdfs]# mount -o loop sessions_1-1.iso /mnt/loop1
[root@silentpower cdfs]# cd /mnt/loop1/
[root@silentpower loop1]# ls
DP-Mig-1.xls EGL.xls misc9-11-00.xls
EGL_New.xls july-results.xls WG-audit.xls
[root@silentpower loop1]#
Based on the above information, several Excel files are available from a former session.
The process outlined above provides basic access to multiple sessions on CDR media under Linux. Look for additional Agile Linux Forensics Weekly articles on our Research page.
About the Author:
Matthew Shannon has over five years of professional information security experience in private industry, including KPMG LLP, ExxonMobil, and United Technologies. Mr. Shannon has been the lead investigator on numerous computer forensics engagements, including intellectual property theft and employment law.
Mr. Shannon graduated cum laude from The University of Florida in Decision and Information Sciences (BSBA) in 1999. He is an accomplished speaker having presented at the DEFCON 11 Information Security Conference in Las Vegas, Nevada. He is a member in good standing of ISSA. In addition, Matthew holds numerous professional information technology certifications, and has been a contributor to multiple open source information security projects including "The Sleuthkit" and "The Honeynet Project".
About Agile Risk Management LLC:
Agile Risk Management, LLC is a premium provider of information security consulting services, committed to providing business value with uncompromised integrity. Agile specializes in delivering consulting services not motivated or influenced by vendor products or relationships. Agile provides services that afford reasonable protection for the information assets of our clients in accordance with their business needs.
Agile service offerings include:
- Digital Forensics and Litigation Support
- Security Assessments
- Security Program Development
- Crisis Management
- Business Continuity Planning
|
|
