Friday 29 May 2009

USB Prober

From time to time the subject of linking USB flash drives to a particular PC crops up. A week or so ago I saw a post on the Guidance boards touching on this subject and chipped in with a link to a paper referencing Harlan Carvey's original research in this area. The nub of this issue is that many USB flash drives have a unique device serial number which is recorded into the registry of Windows boxes that have hosted said flash drive.

When investigating this issue establishing a USB flash drives device serial number may be achieved by utilising a utility such as UVCView. In our lab we use the Tableau T8 USB write blocker to do this. When checking out the subject again prior to posting to the thread on the Guidance boards referred to above I discovered that my Mac Book Pro also has a utility that can establish a USB flash drives device serial number. The utility is an application called USB Prober which is installed as part of the XCode developer tools (which can be found on the separate DVD along with the Mac OS disc for those that have a Mac).

To use USB Prober for this purpose the Mac needs to configured so that it does not mount the USB flash drive. To do this disk arbitration needs to be turned off. In Leopard in terminal the command is:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist

Once disk arbitration simply launch USB Prober (via spotlight is the quickest way) and drill down to the device serial number.

References
http://www.macosxforensics.com/Technologies/DiskArbitration/DiskArbitration.html
http://scissec.scis.ecu.edu.au/conference_proceedings/2007/forensics/23_Luo_Tracing_USB_Device_artefacts_on_Windows_XP.pdf
http://developer.apple.com/documentation/MacOSX/Conceptual/OSX_Technology_Overview/Tools/Tools.html


Tuesday 5 May 2009

Helix Imaging PC

When we upgrade our Forensic Workstations we cascade the older machines onto administrative and imaging tasks. One particular ex Forensic Workstation had supported a tape drive for a year or two but now was about to become totally redundant. Instead of suffering this fate I decided to dedicate it to running Helix. The box itself is a Supermicro chassis sporting a Supermicro X6-DAL-TG motherboard, twin Xeon Nocona 3.4 ghz processors, 2GB ram and a hot swap drive bay.

I had read Andre Ross's blog post Installing Helix 2008R1 and Jess Garcia's How to install Helix to Disk webpage and decided that installing to hard disk was the way to go.

The process I followed to do this successfully (guided by Andre Ross's post in the main) was:

  1. Equip box with an unformatted wiped hard disk - using a partitioned (with ext2 and linuxswap) disk caused the installation routine to hang.
  2. Boot box to Helix 2008R1 CD and commence installation by going to System->Administration->Install
  3. At the point the installer hangs (Who are you screen) click cancel and then quit
  4. Commence installation routine again and create a user - I called mine Helix
  5. Configure Network Adaptor to connect to the internet via System->Administration->Network
  6. Launch Update Manager via System->Administration->Update Manager and update all packages.
  7. Applications->Forensics & IR->Root Terminal
    :~#apt-get install smbfs
    :~#apt-get install winbind

Part 1 of the job is done. A little bit of configuration is needed to make the machine more usable in it's main role as an imaging machine. I am not a Linux guru so apologies for the Janet and John approach for those that are. Also my imaging machines are in a secure environment and not normally connected to the internet so I felt relaxing security a little may be OK.

Relaxing Security

  1. System->Administration->Login Window
    On the Security tab you may wish to enable Automatic Login for the Helix user
  2. Applications->Forensics & IR->Root Terminal
  3. :~# nano /etc/sudoers
  4. Use arrow keys to scroll to end of file then type
    Helix ALL=(ALL) NOPASSWD: ALL
    (presuming helix was the name of the user account you created, if not substitute helix with the name of your account)
  5. Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor. The syntax is critical - if sudoers is messed up your OS may not boot. The reason this is done is that most of the applications we wish to use run at root. However user accounts do not have root privileges. This is overcome by using the sudo command which periodically requires you to enter a password which is a pain. Editing the sudoers file as shown above removes the requirement to enter a password when sudo is used.
  6. By default there are three icons in the panel (like Windows Quick Lauch) on the taskbar at the top of the desktop (Firefox, help and terminal). Right click on Terminal and Remove from Panel.
  7. Access Applications->Forensics & IR->Root Terminal in the menu and right click and select Add to Panel

Imaging Applications

I work in an Encase shop so I am going to concentrate on applications that image to EWF format (aka e.01 files). There are currently two applications installed that do this - Linen and EWFacquire.

Linen

Linen needs some configuration to run from the shortcut Applications->Forensics & IR->Linen. This shortcut (I think the proper linux terminology is launcher) runs a script called sl in /usr/bin. sl needs editing.

  1. Applications->Forensics & IR->Root Terminal (or click on Root Terminal in the Panel)
  2. :~# nano /usr/bin/sl
  3. Use nano to delete the line
    cp /cdrom/IR/bin/linen /usr/local/bin
  4. Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor.

At this stage Linen does not reside in /usr/local/bin - we need to put an up to date copy there.

  1. On a Windows box where Encase version 6 is installed copy the Linen file from the root Encase folder within Program Files to a thumb drive.
  2. On the Helix box copy Linen from the thumb drive to /usr/local/bin as follows:
  3. Launch root terminal from panel on task bar and mount your thumb drive by clicking on it's icon on the task bar and selecting Mount
  4. :~# cp /media/sdc1/linen /usr/local/bin (where sdc1 is your thumb drive)

Linen should now be launchable via the menu. But in true windows style I created a desktop shortcut by right clicking the Linen menu item and selecting add launcher to desktop.


EWFacquire

EWF Acquire is installed and will run from the root terminal. This program is part of the libewf project. The syntax is

ewfacquire /dev/sdb

where /dev/sdb is the drive to be imaged. Again I created a desktop shortcut by:

  1. Right clicking on the desktop and selecting Create Launcher
  2. Change the type to Application in Terminal
  3. Set the name appropriately
  4. In the command box type sudo /usr/bin/ewfacquire /dev/sdb
  5. Click OK


It is probably worth noting that you would not want to launch EWFacquire from the desktop launcher unless you had established the path of each drive by typing fdisk -l into the root terminal.


Guymager

Guymager is another imaging tool that utilises Libewf. It is controlled from a GUI and is a desirable addition to our imaging tools. I intend to do a mini review of it along with steps I have carried out to validate it in a forthcoming blog post. It is not installed on the Helix CDRom but can be installed to our hard disk installation.

  1. Launch a Root Terminal
  2. :~# nano /etc/apt/sources.list
  3. Use arrow keys to scroll to end of file then type deb http://apt.pinguin.lu/i386 ./
  4. Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor.
  5. Whist still connected to internet type in root terminal
  6. :~# apt-get update
  7. :~# apt-get install guymager smartmontools hdparm libewf-tools

Once the process is completed guymager can be launched from a root terminal. Again I created a desktop shortcut by:

  1. Right clicking on the desktop and selecting Create Launcher
  2. Change the type to Application in Terminal
  3. Set the name appropriately
  4. In the command box type sudo /usr/bin/guymager
  5. Click OK

Guymager utilises a configuration file - guymager.cfg. For my setup I wanted to make some changes. The program advises that changes should be made to local.cfg, however I did not have much success with this. I edited guymager.cfg with nano:

  1. Launch a Root Terminal
  2. :~# nano /etc/guymager/guymager.cfg
    and modify entries to the following
  3. Language='en'
    EwfFormat=Encase5
    EwfCompression=Best
    EwfSegmentSize=1500
  4. and in the Table LocalDevices area add a new line beneath the line of ------------
    containing the serial number of the hard disk drive where Helix is installed
    e.g. '1ATA_Maxtor_6B300S0_B605MV0H'
    The best way to establish the serial no. is probably with Guymager itself.
  5. Many other changes can be made as documented within guymager.cfg
  6. Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor.


Adepto


Although Adepto does not image to EWF files I know some people use it. Some changes need to be made to get it to work.

  1. Launch a File Browser with root permissions by launching a root terminal and typing nautilus
  2. Use the file browser to navigate to /home/helix (helix being the name of the user account I created during the installation routine - if you used another account name navigate to /home/theAccountNameYouUsed )
  3. Right click or use the edit menu to create a folder then name it Adepto
  4. Double click Adepto and create a subfolder within Adepto called Logs
  5. Right click on Logs and Make Link
  6. Right click on the resulting Link to Logs and Cut
  7. Navigate to /usr/local/adepto and paste your link file
  8. Right click on the existing Logs file and delete
  9. Rename Link to logs to logs

    Adepto should work now.

Some Networking Stuff

In our lab we image to a file server running Microsoft Windows Server 2003. When I have used the Helix CDs in the past it was always a pain to image to an attached hard drive then transfer the image to the file server later. I wanted the Helix Imager to image direct to our file server and be part of our Windows Workgroup.

To do this:

  1. via System->Administration->Network configure to connect to your internal network
  2. on the windows file server create a share (I called mine Helix) and create a user named Helixuser (having done this you can apply appropriate security to this user at the Windows end)
  3. Create a mount point to the windows share by:
  4. Launch a Root Terminal
  5. :~#mkdir /media/helix
  6. :~# nano /etc/nsswitch.conf
    modify (add wins prior to dns) the following line to read

    hosts: files mdns4_minimal [NOTFOUND=return] wins dns mdns4

    Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor
  7. :~# nano /etc/fstab
  8. Append the line below to the end of the fstab file

    //server/Helix /media/helix cifs username=user,password=*,iocharset=utf8,file_mode=0777,dir_mode=0777 0 0

    where server is your server name, Helix is the name of your Windows share, helix is the name of the linux mount point, user is the name of an account on your Windows server and * is substituted for whatever your password is.
  9. Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor
  10. :~# mount -a
  11. Configure the way the Helix Imager box is recognised within our Windows Workgroup
  12. at the root terminal :~# nano /etc/samba/smb.conf
  13. Within the global settings area modify entries to the following
    workgroup = THENAMEOFYOURWORKGROUP
    server string = %h

Now that a mount point has been created to your windows share specifying /media/helix as the path to image to in Linen, EWFacquire or Guymager will output the image to the Windows File Server.