Debian Linux as a Forensic Workstation

1. Debian GNU/Linux as a Forensic
Workstation

2. #whoami
 Vipin George
 Ad-hoc faculty at CEK
 Handled Internet plumbing for a Tier- 1 ISP
 M.Tech in Cyber Forensics and InfoSec
 Mozillian, Wikipedian
 Enjoys tinkering with Electronic gadgets
 Licensed Radio amateur, call sign: VU3YVG/ KC9VED

3. What is Digital Forensics?
 The gathering and analysis of
digital information in an authentic,
accurate and complete form for
presentation as an evidence in a
court of law
 Any electronic device (mp3 player,
Hard disk, Mobile phone) can be
the source of evidence

4. What is Digital Forensics?
 Investigation takes place after
an incident has happened
 Try to answer questions:
 Who?
 What?
 When?
 Where?
 Why? and
 How?

5. Locard’s Exchange principle

6. Locard’s Exchange principle
 whenever two
computers come "into
contact" and interact,
they exchange
something from each
other
 This may appear in log
files, and be visible in
the output of
commands.

7. Stages
 Digital forensics activities
commonly include:
 the secure collection of data
 the identification of suspect data
 the examination of suspect data
without modifying it
 the presentation of information
to courts of law
 the application of country's laws
to computer practice.

8. First of the few
 One cent crime 1960’s

9. First of the few
 One cent crime 1960’s
 millions of daily transactions
add up
 small attacks add up to one
major attack that can go
undetected due to the nature
of this type of cyber crime
 Salami attack !

10. Why Debian GNU/Linux?
 It is mandatory to image suspect drive using at least
two tools
 Budget
 Stability
 Dedicated solutions are predictable
 Eg: EnCase Forensic Imager vulnerability
 Ability to dig deeper

11. Why Debian GNU/Linux?
 Support for rapidly changing storage mediums & size
 Plenty of tools - Debian Forensics Environment -
essential components (metapackage) by Debian
Security Tools Team has 158 packages as of now
 https://packages.debian.org/sid/forensics-full
 Restoring a virus infected Thumb-drive to a Windows
system will infect the workstation itself

12. Digital Forensics
 Storage/Disk Forensics
 Memory Forensics
 Network Forensics

13. Digital Forensics toolkit
 Laptop
 Operating System with all patches
 Reliable software tools with all
patches
 Dedicated Hardware if needed
 Evidence container
 Storage media
 Digital Camera

14. Digital Forensics
 Four Cardinal Rules
 Never Mishandle Evidence
 Never Work on Original Digital Evidence
 Never Trust the Subject's OS
 Document everything

15. Ensuring Forensic soundness
 Use a live CD/DVD
 Don’t store anything on suspect storage
 Don’t attach these workstation to any network
 Use separate VMs for each case to avoid any
cross-contamination

16. Ensuring Forensic soundness
 Destination storage should be equal or larger than the
source
 Reinstall Forensic platform each time
 Normal image
 Ghost image
 Use Write-blockers

17. Write blocker
 Malware, or AV update or scan may update timestamps
 Write blocker prevents Data from being written on to drive
 Preserves all data on drive
 Decreases chance of corrupting drive
 Allows investigator to image the drive without affecting the
drive
 Write protection
 Hardware – SATA, IDE, USB, FireWire
 Software

18. Hardware write blocker
 Prevents Data from being written on to drive
FORENSIC
WORKSTATION
USB TO IDE/SATA
ADAPTER
EVIDENCE DRIVE
IDE/SATA CABLE

19. Hardware write blocker
 Prevents Data from being written on to drive

20. Software write blocker
 Disable Auto-mount
 Turn Swap off
 Kernel patch and
userspace tools to
enable Linux software
write blocking
 Source:
https://github.com/ms
uhanov/Linux-write-
blocker

21. Acquiring Disk Image
 Ordinary file copy won't work
 Bit by bit copy needed for Forensic soundness
 Why?

22. Acquiring Disk Image
 Evidence can be hidden in many places in a disk
 Printer Queue can be a source
 A hard drive contains partitions, a partition contains a file
system and a file system is used to structure data
 Bit by bit disk image
 Capture both allocated and unallocated space
 Do not use gzip/tar or normal backup tools
 Lose unallocated space
 Can’t recover deleted files

23. Slack Space – File Slack

24. Slack Space

25. Validating the Image - Hashing
 Cryptographic checksums to prove the integrity of original
contents
 Algorithms:
 CRC-32(32 bit)
 Message Digest – 5 (MD5, 128 bit)
 SHA-1 (160 bit)

26. Validating the Image - SHA-1 (160 bit)

27. Acquiring Disk Image - Software
 dd: Full disk dd if=/dev/sda of=/mnt/usb/sda.img bs=512
 But not forensically sound
 ddrescue: good for data recovery, but not forensically
sound
 dcfldd: disk image verification to ensure integrity, can split
large files
 dcfldd if=/dev/sdX hash=md5,sha256 md5log=/root/md5.txt
sha256log=/root/sha256.txt conv=noerror,sync
of=/root/diskimage.dd

28. Acquiring Disk Image - Software
 Guymager
 Fast, due to multi-threaded, pipelined design and multi-
threaded data compression
 Makes full usage of multi-processor machines
 Generates flat (dd), EWF (E01) and AFF images, supports
disk cloning
 Source https://guymager.sourceforge.io/

29. Examining and Analyzing Disk Images
 How to find and interpret forensic artifacts?
 TSK + Autopsy (GUI-frontend)
 The Sleuth Kit and Autopsy browser
 http://www.sleuthkit.org/
 It can ingest a disk image, we can explore and extract files
of interest
 supports raw, Expert Witness, and AFF file formats

30. Metadata: Data speaks to us
 Valuable info. such as time, date, author
of documents may be embedded in the
file
 Serial killer Dennis Rader was caught after
31 years

31. On Suspect system
 Trusted binaries - statically compiled binaries run from CD
or USB
 ls, lsof, ps, netstat, grep, uname, date, find, file, ifconfig, arp
 Test before use
 different Linux distributions and kernels
 both 32 bit and 64 bit platform
 Will not modify Access time of system binaries
 Be aware of limitation - Kernel mode rootkit

32. Volatile Data Collection
 Collect as much volatile data as possible
 But minimise footprint on the target system
 In the order of most volatile to least
 Memory
 Network status and connections
 Running processes
 Other system information
 Document everything

33. Volatile Data Collection
 Be aware of the concept of “Chain of
custody”
 Maintain a good record (a paper trail) of
what you have done with evidence

34. Memory Forensics
 Data might be encrypted on disk, but unencrypted on
memory
 LiME – Linux Memory Extractor
 Less memory footprint
 Pre-compile LiME for suspect system architecture for
specific kernel as a loadable Kernel object
 Compile LiME on suspect system if architecture
unknown(less recommended)
 Source: https://github.com/504ensicsLabs/LiME

35. Memory Forensics
 Analyze the memory dump using Volatility
 Source: https://github.com/volatilityfoundation/volatility
 Photorec can carve out files from memory images too
 Supports DD raw image, EnCase E01 image etc.
 Source:
https://www.cgsecurity.org/wiki/TestDisk_Download

36. Network Forensics: collecting RAW network
data
 Wireshark – GUI
 tshark - CLI
 tcpdump - CLI
 Nmap: Map a network
 Snort
 P0f (OS passive fingerprinting)
 XPLICO: Network Forensic Analysis
Tool, can extract pcap files, has
web interface

37. Challenges: Anti-forensics
 Modern SSDs stop recording access times to improve its
life
 Anti-forensic tools

38. Questions

39. Reach me
@vipinonline
linkedin.com/in/vipingeo
t.me/vipinonline
www.vipinonline.com





40. Thank You!
The text in this work is licensed under a Creative Commons Attribution-
NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)