Week 4 - Live Data Acquisition - macOS & Linux Flashcards
Two options for non volatile live data acquisition in macOS & Linux
- Live Disk Imaging
- requires root privilages
- advantage in these file systems - everything is a file so cannot to the HDD like it is a file.
- can image full disk or specific partitions
- possible to crash the system
- verification by hashing not usually possible. Hash values will be different because the disk is in use and constantly changing - Forensic File Copying
- Forensically copying selected data
- likely to change file timestamps
- requires less time / storage
- must know what you want to copy and where it is
Non volatile live data acquisition - macOS / Linux - Live disk imaging - Accessing physical disks
Live disk imaging.
To access the physical disks:
LINUX:
full disks are: /dev/sd[a,b,c…] first disk has letter a etc
partitions are: /dev/sda[1,2,3…] partitions numbered
macOS (UNIX):
full disks are: /dev/disk[0,1,2…] first disk is numbered 0
partitions are: /dev/disk0s[0,1,2..] partition is a ‘slice’ s1 etc
Non volatile live data acquisition - macOS / Linux - Live disk imaging - Tools
Linux often found in a server environment so will focus on command line (non GUI).
Some examples of tools:
- dd (almost always installed by default, easy to use but basic)
- dcfldd. dd but with more options
- FTK imager. Command line version for macOS & Linux
- Disk Utility (built in MacOS good back-up if other tools not working)
Live Disk Imaging with dd
LINUX:
- Physical disk: sda or hda
- Logical drive or partition: sda1 or hda1
MACOS:
- Physical disk: disk0 disk 0 is first disk on drive
- Logical partition: disk0s1 partition (slice) 1 on disk 0
EXAMPLES:
dd if=/dev/sda of=suspect_sda.dd
dcfldd if=/dev/sda hash=md5,sha256 hashwindow=10G md5log=md5.txt
sha256log=sha256.txt conv=noerror,sync split=10G of=suspect_sda.dd
This example makes use of the integrated hash options and writes them to different files. Also splits them into 10G parts.
Live disk imaging with dd
- make sure to verify whole disk copied by comparing no. of sectors or bytes reported by fdisk or diskutil. If numbers do not match then could be an indication of….
- disk will not detect all sectors in situations like host protected area (hpa) or device configuration overlay (dco). These are areas of the disk hidden from the OS
Live disk imaging - LINUX & macOS
Live Disk Imaging - It is possible but not always practical.
- Terabytes of storage changing as you image.
- Not always reliable. Rootkits can detect disk imaging programs and filter out certain / malicious files.
- Only sees the disk! Will not image pseudeo files or virtual file systems that only exist in memory.
A different solution might be forensic file copying of files of interest.
Forensic File Copying - LINUX & macOS
Forensic file copying:
- does not require as much time or space
- copies decrypted file data
- copies pseudo files
Forensic File Copying - LINUX & macOS - Tools
Many utilities exist:
- The Sleuth Kit (TSK)
- tar (standard command line utilities)
- cp (standard command line utilities)
- rsync (standard command line utilities)
- server backup & archiving software
Can be scripted because they are command line utilities.
Key to chosing a tool is to use one that:
-preserves timestamps and contents of the file being copied.
- preserves timetamps and contents of the contents of the source file.
- Has minimal impact on the suspect system (small footprint). How much memory and libraries does it use.
All important factors to note when testing
What should you do before doing any forensic file copying?
Must record current state of the directory tree. Includes:
- Files
- Sub directories
- Timestamps (if you know you are going to change them, then record them before you change them)
- Permissions
- Inodes
The ‘ls’ command used with the options shown below will give full list of files in sub directory of the directory tree you are interested in. Gives all information of all files including timestamps, permissions, inodes. Pipe out to text document. The capital R makes it recurse through all the sub files
Ls –full-time -lhaiR > /media/suspect_file_info.txt
Forensic file copying - tar
Tar is an archiving program common to Linux / Unix
- Create a new archive from directory “/tmp”
Tar–atime-preserve=system -chpsvf archive.tar /tmp/*
-c Create
-h Follow Symlinks
-p Preserve Permissions
-s Preserve Order-
-v Verbose
-f <filename> Location of Archive
-t List</filename>
- Extract contents of the new archive
Tar [-C extract_dir] –xpsvf archive.tar
-x Extract
-C Directory to extract to
Forensic file copying - cp
cp is the standard copy command. Note that the timestamp changes vary between LINUX & macOS - test!
-a is the ‘archive’ switch
Can copy files and directories
-r is recursive makes it recurse through sub directories
cp –a <source></source> <destination></destination>
Changes to timestamps. Note that the timestamp changes vary between LINUX & macOS - test!
Forensic file copying - caveat
Copying Caveat:
Pseudo Files
-The /proc filesystem in Linux is a memory image of each process. It’s a virtual filesystem that occupies no disk space
- Information about hardware and running processes
- Files have a zero size - don’t really “exist” only exist in memory.
- Tar will copy the zero size file, but not the virtual contents!
What can we do? Two options
- Copy to forensic disk using ‘cp’ command
- Read the contents to a file using cat comand and pipe to another location on disk
Cat /proc/partitions lists partition information
No timestamps preserved because you are really creating a new file
