For most of my forensic previewing I use the CAINE forensic GNU/Linux distro. You can fully customise the distribution to fit your needs. Most of the stuff I blog about I have added to my distro to automate the previewing of suspect devices.
The CAINE guys recently released a new version of, called PULSAR. They have necessarily had to make some changes due to how Ubuntu is now packaged (CAINE is based on the Ubuntu distro). Previously, you could download an .iso to burn to CD and a DD image to copy to a thumbdrive. One of the major changes is that the version designed to be installed to a USB device (or indeed a hard disk on your workstation) comes as an .iso. I did some major surgery to the previous versions then used the remastersys scripts bundled in CAINE to generate my own customised .iso. Obviously, it isn't that simple any more, so I thought I would walk you through making persistent changes to the latest CAINE distro.
The basic steps to customising CAINE are:
Download NBCAINE 4.0
Install to thumbdrive
Make your changes to the distro
Merge your changes into the system
Create your new .iso
The first thing you need to do is download NBCAINE 4.0 from the CAINE website. You then need to use live-disk installer to install the .iso to your thumbdrive. I use UNETBOOTIN for this, but there are other installers out there for you to experiment with. You will also need a clean USB stick, formatted as FAT32. So all you need to do now is plug in your thumbdrive, launch unetbootin and configure it like this:
You need to make sure you have selected Ubuntu 12.04 Live as your Distribution. Then select the path to your nbcaine .iso image. You then need to configure how much space your require to preserve files across reboots. I make lots of changes so I select 2000 MB - you will need an 8 GB thumbdrive if you go this big. I then select the partition on my thumb drive that the distro is going to be installed to.
Once you click on "OK" the installation will start. Once complete, you can reboot, select your thumb drive as your boot device to boot into the CAINE environment.
-rw-r--r-- 1 fotd fotd 176 2013-03-15 17:47 autorun.inf drwx------ 2 fotd fotd 4.0K 2013-06-28 16:07 casper
-rw-r--r-- 1 fotd fotd 1.9G 2013-06-28 16:49 casper-rw
drwx------ 2 fotd fotd 4.0K 2013-06-26 13:31 .disk
drwx------ 4 fotd fotd 4.0K 2013-06-26 13:31 FtkImager
drwx------ 2 fotd fotd 4.0K 2013-06-26 13:34 install
drwx------ 2 fotd fotd 4.0K 2013-06-26 13:34 isolinux
drwx------ 2 fotd fotd 4.0K 2013-06-26 13:34 lang
-r--r--r-- 1 fotd fotd 32K 2013-06-26 13:35 ldlinux.sys
-rw-r--r-- 1 fotd fotd 52K 2013-03-16 16:38 md5sum.txt
-rw-r--r-- 1 fotd fotd 55K 2013-06-26 13:35 menu.c32
-rw-r--r-- 1 fotd fotd 1.4K 2013-03-15 17:56 NirLauncher.cfg
-rwxr-xr-x 1 fotd fotd 102K 2013-03-15 17:47 NirLauncher.exe
drwx------ 2 fotd fotd 36K 2013-06-26 13:31 NirSoft
drwx------ 2 fotd fotd 4.0K 2013-06-26 13:35 piriform
drwx------ 2 fotd fotd 4.0K 2013-06-26 13:35 preseed
-rw-r--r-- 1 fotd fotd 192 2013-03-16 15:51 README.diskdefines
drwx------ 2 fotd fotd 8.0K 2013-06-26 13:35 sysinternals
-rw-r--r-- 1 fotd fotd 1.7K 2013-06-26 13:35 syslinux.cfg
-rw-r--r-- 1 fotd fotd 25K 2013-06-26 13:35 ubnfilel.txt
-rw-r--r-- 1 fotd fotd 20M 2013-03-16 15:53 ubninit
-rw-r--r-- 1 fotd fotd 4.7M 2013-03-16 15:53 ubnkern
-rw-r--r-- 1 fotd fotd 1.6K 2013-06-26 13:31 ubnpathl.txt
-rw-r--r-- 1 fotd fotd 0 2013-03-16 16:37 ubuntu
drwx------ 7 fotd fotd 4.0K 2013-06-26 13:35 utilities
Many of the above files are for the live incident response side of things. The structures that we are interested in are the casper-rw file and the casper directory. Remember when we used unetbooting and were asked how much space we wanted to reserved for persistent changes? Whatever value you enter, the casper-rw file is created with a size corresponding to that value. In our case we specified 2000 MB, which is about 1.9 GB, hence our casper-rw file is 1.9 GB. It is this file that captures and stores any changes we make to the CAINE system. Lets have a look inside the "casper" directory:
-rw-r--r-- 1 fotd fotd 62K 2013-06-28 16:39 filesystem.manifest
-rw-r--r-- 1 fotd fotd 62K 2013-06-28 16:39 filesystem.manifest-desktop
-rw-r--r-- 1 fotd fotd 10 2013-06-28 16:39 filesystem.size
-rw-r--r-- 1 fotd fotd 1.5G 2013-06-28 16:41 filesystem.squashfs
-rw-r--r-- 1 fotd fotd 20M 2013-03-16 15:53 initrd.gz
-rw-r--r-- 1 fotd fotd 192 2013-03-16 15:51 README.diskdefines
-rw-r--r-- 1 fotd fotd 4.7M 2013-03-16 15:53 vmlinuz
The main file of interest here is the filesystem.squashfs. This file contains the compressed Linux file system, it gets decompressed and mounted read-only at boot. The previously described casper-rw is an ext2 file system that is mounted read-write at boot - it retains all the changes that are made. Using the new overlayfs system, the casper-rw overlays the decompressed filesystem.squashfs, but it is interpreted by the O/S as a single unified file system. We should bear in mind that the files "filesystem.size", "filesystem.manifest" (which lists all the installed packages) and "filesystem.manifest-desktop" have to accurately reflect various properties of the filesystem.squashfs file. Thus, if we add programs to our installation we have got to update all of the "filesystem.*" files.
Using overlayfs is useful for retaining changes over reboots, however it does mean that the system is somewhat bloated. What we really need to do is merge the changes in the casper-rw file system down into the compressed filesystem.squashfs, then we don't need our large 2000MB casper-rw file any more (or at least can use a much smaller file once we have made our major changes).
So, I have figure out how to do this...and it isn't actually that difficult. All we need is to make sure we have the squashfs tools installed and a recent Linux kernel that supports overlayfs. To check if your kernel supports overlayfs, simply have a look a look at your /proc/filesystems file and see if it is listed. If not you will need to install the overlayroot package, which is hopefully in your package manager. So let's go through this step-by-step. We've created our bootable thumb drive, booted into that environment, and made all the changes that we want to make. So shutdown and reboot into your Linux environment, plug in your CAINE thumbdrive and mount the partition in read write mode.
Change into a working directory in your linux distro. We are going to create two mount points, mount our filesystem.squashfs and casper-rw file systems, then overlay one over the other with the overlayfs before creating a new filesystem.squashfs. So, lets assume my thumb drive is mounted at /media/usb, now we create our mount points in our working directory:
mkdir caine-ro
mkdir caine-rw
Now we mount our casper-rw file in our caine-rw mount point:
sudo mount -o loop /media/usb/casper-rw caine-rw
We mount our filesystem.squashfs in our caine-ro mount point:
sudo mount -o loop /media/usb/casper/filesystem.squashfs caine-ro
Now we need to overlay one file system over the other using the overlayfs system. Conceptually, overlayfs has an "upperdir" which takes precedence and a "lowerdir". Obviously the "upperdir" gets overlaid on top of the "lowerdir", in our scenario the caine-rw is our "upperdir" and caine-ro is our "lowerdir".
Now we can do our file system overlaying:
mount -t overlayfs caine-ro -o lowerdir=caine-ro,upperdir=caine-rw caine-rw
We now have our two file systems overlayed with each other, we can now make a new filesystem.squashfs to replace the one on our thumb drive...but at which mount point is our unified filesystem from which we need to create our new filesystem.squashfs? Remember it is the "upperdir" that takes precedence, which in our case is caine-rw. So we need to create our new filesystem.squashfs from that mountpoint, we can do that like this:
sudo mksquashfs caine-rw/ filesystem.squashfs
We now have our replacement filesystem.squashfs that contains all our changes.
We now need to update the rest of the "filesystem.*" files to reflect changes in our filesystem.squashfs. Lets update our filesystem.manifest:
We now need to update the rest of the "filesystem.*" files to reflect changes in our filesystem.squashfs. Lets update our filesystem.manifest:
sudo chroot caine-rw/ dpkg-query -W --showformat='${Package} ${Version}\n' > filesystem.manifest
Now we can update our filesystem.manifest-desktop with this commands
cp filesystem.manifest filesystem.manifest-desktop
Unmount our mounted filesystems:
sudo umount caine-r*
Unmount our mounted filesystems:
sudo umount caine-r*
Finally, we can update the filesystem.size file - we'll need to mount our NEW filesystem.squashfs to do this:
sudo mount -o loop filesystem.squashfs caine-ro
printf $(sudo du -sx --block-size=1 caine-ro | cut -f1) > filesystem.size
printf $(sudo du -sx --block-size=1 caine-ro | cut -f1) > filesystem.size
At this point we have everything we need in our working directory, we just need to copy all of the "filesystem.*" files to our mounted thumb drive containing our CAINE system. Remember they need to go into the "casper" directory:
sudo cp filesystem.* /media/usb/casper/
Let's unmount our filesystem.squashfs:
sudo umount caine-ro
To finish up we need to go and work on our mounted thumbdrive.
We can make a new (much smaller) casper-rw to hold any minor future changes we want to make. We need to delete the existing, casper-rw, create a new one then format it - we'll use ext2 in our example:
sudo rm /media/usb/casper-rw
sudo dd if=/dev/zero of=/media/usb/casper-rw bs=1M count=300
sudo mkfs.ext2 -F /media/usb/casper-rw
Finally we need to make a new md5sum.txt file to reflect our changes:
cd /media/usb
sudo find . -type f -exec md5sum {} \; > md5sum.txt
All done! Remember to unmount all your various mounted filesystems relating to your work with the CAINE installation.
No comments:
Post a Comment