Sunday 2 September 2012

A plague of previewing...the rising

So you have created your preview disk, booted the system and now want to start your previewing.  You can use some forensic tools such as the SLEUTHKIT to do some analysis, but we might want to use a lot of the tools built into linux...for that we need to mount the file systems in a forensically sound way, and probably mount some external storage to send our exported data to.

There are a number of fantastic tools available to us in linux for discovering physical disks, partition table and files system information, before we mount those file systems.
We will also want to know what exists in the gaps between partitons....is there raw data or maybe a complete, but deleted, file system?  If a file system fails to mount, we would want to know why...is the file system encrypted? If the file system is bit-locker key, maybe we want to scan the partition for a recovery key? We will also want to mount an external drive in read/write mode to collect any results from out analysis. This can be quite a challenging task at the terminal, so I have written a script that will automatically perform most of the above tasks in seconds.   You can add this script to your boot CD.  Note there are a couple of dependencies that should be available in your systems packet manager to install, the deps are:
gdisk (to handle GPT partitions)
sleuthkit
hachoir tools set
hdparm (to get detailed info about IDE hard disks)
sdparm (to get detailed info about SATA/SCSI hard disks)
bulk_extractor

So this will be the flow of our script:
Check if the user is root.
Get a list of partitions
Get list of mounted partitions - we need to do this in case we have booted using
a thumbdrive, we want to exclude our boot media from the analysis.
Get list of physical disks (in case we want to do anything at the physical disk level)
Check for presence of GPT partition tables.
Check each partition for presence of bitlocker signatures.
Mount all mountable partitions under the /media node in Read Only mode.
Check for the presence of any AppleMac partitions, and mount any partitions found.
Any file system that fail to mount, conduct entropy test on a sample of 5mb of data from the partition - warn user if the file system appears to be encrypted (I will cover this in a bit more detail in a future post).
Create mount point for external drive
Prompt user to plug in external drive
Detect and mount partition on external drive in Read/Write mode
Create case directory structure on external drive
Create report containing details of interrogated system, hard disk info, partition info, RAM/Processor info
Process each mounted partition in turn (We can do a simple check to determine if a Windows or MacOS is present, then launch another script appropriate for those OS.  If no OS detected, assume it it is a storage disk and process accordingly.
Once each mounted partition processed, image in turn each inter-partition gap to external drive.
Analyse is ip gap, to see if it has a valid file system, if so, mount the file system and process, else treat as raw data and process with different script.
Check for presence of Linux swap partitions and process same
If any bit-locker signatures found, launch process to look for recovery key on drive.

In the script you will see that I have commented out the lines to launch the various analysis scripts for each partition.   We'll look as some of the interesting types of automated analysis that we can do in future posts.  For now, you can find the shell script HERE.

You may wonder why I use the "loop" option to the mount command, this is to prevent the journal in some journalling file systems being MODIFIED.

The inter-partition gap analysis is something that isn't always done in computer forensics, the layout of many computer forensic suites don't lend themselves to easy analysis so performing this analysis is often overlooked.  If you aren't looking in the inter-partition gaps routinely then you are doing you analysis incorrectly.







No comments:

Post a Comment