Dissecting the damaged disk
In "Performing Forensic Analyses, Part 1," June 2004, InstantDoc ID 42445, I showed you how to create a bootable CD-ROM that contains the Penguin Sleuth Kit and how to use that CD-ROM to create a digital copy, or image, of a compromised hard disk. Now let's look at how to perform a forensic analysis on that image by using the Penguin Sleuth Kit on your CD-ROM.
The Penguin Sleuth Kit includes two extremely useful utilities: the Sleuth Kit, which is a collection of forensic command-line tools, and Autopsy, which is the Web browser-based front end for the command-line tools. The Sleuth Kit and Autopsy use an evidence locker to store collected data and documentation. Thus, you need an external or writable hard disk for the evidence locker.
Forensic analysis is a time- and resource-intensive operation. If you'll be performing forensic analyses often, I recommend that you use a dedicated machine with Linux installed to do this work. However, if you'll be performing forensic analyses only on occasion, you can run the bootable CD-ROM from your workstation instead of installing Linux on a dedicated machine because the tools on the CD-ROM are Linux-based.
For the purpose of this article, let's assume that you're running the bootable CD-ROM from your Windows workstation, you're booted into Knoppix, your evidence locker is on an external USB disk, and you've created a forensic image. Now reboot the system with the command
The Penguin Sleuth Kit will return you to the initial boot prompt, after which you should type
and press Enter. (Although the command appears on two lines here, you should enter it on one line. The same holds true for the other multiline commands in this article.) This command boots into Tab Window Manager (TWM), a minimal-resource GUI for Linux. The default GUI is the K Desktop Environment (KDE), which provides an interface similar to Windows but requires a large amount of RAM. All you need to run is a Web browser, so KDE is unnecessary. Open a command prompt and run the command
to start the Konqueror Web browser, which the Penguin Sleuth Kit includes.
Let's assume that your external USB disk is at /dev/sda1 and that the USB disk contains not only the evidence locker but also the image of the compromised disk. Plug in the USB disk and follow these steps:
- Mount the USB disk with the command
- Create the /mnt/evidence_locker directory with the command
- Run the Autopsy command Figure 1 shows an example of what the Autopsy command's output might look likeknoppix@ttyp0\[knoppix\]$ autopsy
- In the Konqueror Web browser, enter the URL that your Autopsy command output specifies.
mount /dev/sda1 /mnt
Alternatively, you can keep Autopsy running on your workstation but perform the forensic analysis over the network through a different Web browser. This feature is useful if the system you're using doesn't have enough RAM to run even the TWM GUI. To use this alternative approach, you need to know the IP address for your workstation (if you attached a network cable). If you don't know your machine's IP address, you can use the command
to obtain it. Then, replace the command in Step 3 with this command
where Port is the number of the port to listen to and IPAddress is your workstation's IP address.
No matter which approach you use, after you enter the URL in the Web browser, the opening page for the Autopsy Web site appears, providing three links: Open Case, New Case, and Help. Select New Case because you haven't started working on a case yet. You'll be prompted to enter a name for the case and the names of the users who'll be using Autopsy. After entering this information, click New Case. The next page lists the actions that Autopsy took for verification purposes. Click OK to continue to the Case Gallery, which Figure 2 shows. The Case Gallery lists all the cases being investigated. Because you created only one case, you'll have just one case listed. Click OK.
On the next page, called the Host Gallery, some Autopsy-specific nomenclature comes into play. Every analysis is based on a case, which might include more than one disk image, each of which is called a host. For a simple analysis such as this one, the nomenclature might seem confusing, but it's useful when an investigation involves more than one suspect computer. Choose the Add Host option to add your digital image of the compromised disk. Autopsy prompts you for the host's name, a description, the time zone (for which you enter the standard time- zone abbreviation, such as EST), and the suspect machine's timeskew. Timeskew refers to the difference between the suspect computer's clock and the correct time (i.e., the time on the host computer's clock). The time zone and timeskew are necessary for Autopsy to correctly correlate time between computers and external incidents.
Finally, you can enter paths of databases that contain hashes or unique fingerprints of either files known to be malicious (i.e., Known Bad files, such as Trojan horses) or files known to be benign (i.e., Known Good files, such as standard Microsoft applications) so that you don't have as much chaff to sift through. Comprehensive (but by no means all-inclusive) databases are available from the National Institute of Standards and Technology (NIST) at http://www.nsrl.nist.gov. One particularly helpful database is NIST's database of known Trojan horses and hacking tools. Using such databases can greatly aid in diagnosing computer incidents. If you check your image against a database, any relevant information will be listed as Known Bad or Known Good when viewing it in Autopsy.
After you enter all the host information, click Add Host. You'll see another verification screen, which shows you the actions Autopsy took. Click OK to go back to the Host Gallery page. Select the host you just added, then click OK to bring up the Host Manager page, which Figure 3 shows.
In Host Manager, click Add Image. Autopsy prompts you for the full path to the image. The path must start with a slash (/). Next, you need to select the method to import the image. The first option, Symlink to evidence locker, creates in the evidence locker a symbolic link, or symlink, to the image. (A symlink is the UNIX equivalent of a Windows shortcut to a file.) The image is kept in its original position but is read from the evidence locker as if it were there. The other two options—Copy and Move—are self-explanatory. I suggest you use the Copy option, unless time or space is at a premium. Using a symlink could potentially corrupt the original image, so using a copy is safer. And moving the file might be difficult because of UNIX permissions.
Autopsy also asks you to specify the compromised disk's file-system type (e.g., FAT32, FAT16) and original mount point to help correlate file-system activity later. For the original mount point, enter the drive letter (e.g., C:\, D:\). Finally, select the Calculate Now check box if you want Autopsy to create an MD5 hash for the image.
After you click Add Image, Autopsy adds the image and creates the MD5 hash if you selected that option. Back at the Host Manager page, you'll see that the image has been added. Now that you have an image, you can use the following five options at the bottom of the Host Manager page: File Activity Time Lines, Image Integrity, Hash Databases, View Notes, and Event Sequencer. You can also access some options through the details link on the Host Manager page after you've added an image. Let's see what the details link has to offer before discussing the other five options.
Image Details Options
Clicking an image's details link in the Host Manager page brings up the Image Details page, which Figure 4 shows. In addition to listing the information you previously entered when you added the image, this page provides you with two options: Extract Strings and Extract Unallocated. You should take advantage of both options in your forensic analysis.
Extract Strings. When you click Extract Strings, Autopsy searches the entire image file for anything that remotely looks like human readable strings and extracts those strings, saving them in the file specified by the File Name text box (in this case, usb-part.dd.str). After saving the strings, Autopsy lists the file's location in the Strings File entry in the box at the top of the Image Details page. In this case, the location would be output/usb-part.dd.str. If you append this path to the directory specified in the Host Directory entry, you can view the file from the command line by using a Linux command such as less. (The less command lets you view a text file's contents from the command line, without having to use an editor.) The file will contain lines of data such as: 188120 The files have been extracted successfully. The number listed is the logical address of the string's position in the image; the remainder of the line is the string. You can perform a keyword search to find suspicious strings. For example, a healthy system is unlikely to have a string such as W1nd0ze r00tk1t 2.0. Although an explanation is beyond the scope of this article, you can use the Sleuth Kit to extract for further analysis the file that contains a particular string.
Extract Unallocated. When you click Extract Unallocated, Autopsy extracts the unallocated sectors from the compromised disk and writes them to a file for string analysis. Sometimes you can find remnants of deleted files (and even complete yet deleted files) within these sectors. The unallocated sectors don't include slack space, which is the space allocated by the file system for a file that the file itself doesn't occupy. Every file system allocates space on a disk based on blocks of bytes. If a file doesn't use all the allocated space, the unused bytes are still readable by forensic software and might contain information from the file that previously occupied that location on the disk. For example, if the file system uses 8KB blocks and allocates one block for a file that's only 6KB, the remaining 2KB of data is the slack space. If an 8KB file originally occupied this space, the 2KB of slack space might contain data from that original file. After Autopsy writes the unallocated sectors to the file, you should run the Extract Strings option against that file to look for suspicious strings.
At the bottom of the Image Details page is a File System button. When you click this button, you get a page that provides information about the compromised disk's file system. As Figure 5 shows, the File Analysis page consists of a toolbar at the top and three panes. The left pane provides a directory listing. The upper right pane lists the directory's files, which are grouped by sector. Deleted files (or what can be gleaned from them) are included. Clicking a file, deleted or otherwise, prompts an ASCII version of that file to appear in the lower right pane. At the top of the lower right pane, information about the file type (if it's known) and a few options appear. The options are
- ASCII (display - report)
- Strings (display - report)
- Add Note
The ASCII display option is the default view of the file in its ASCII form. If you click the Strings display option, the strings in the file that you're viewing appear in the lower right pane. Clicking the ASCII report option adds the ASCII data to Autopsy's report for the case. Similarly, clicking the Strings report option adds the string data to the report. Note that when you use either report option, Autopsy includes the data from all three panes (not just the data from the lower right pane), so the information isn't succinct.
The Export option exports the entire file to an external file on the Linux system. The Add Note option brings up a window that lets you add a note about this particular file. The Written (i.e., modification), Accessed, and Created times, which appear in the upper right pane, are added to that note. Correlating these times can help trace the path of an intrusion.
Besides File Analysis, the toolbar at the top of Figure 5 contains several other items: Keyword Search, File Type, Image Details, Meta Data, and Data Unit. The Keyword Search function is fairly self-explanatory. You can specify whether to search the original image or the unallocated space by selecting the Load Original option or the Load Unallocated option, respectively. You can use grep regular expressions in your searches. For the experienced investigator, these expressions provide an excellent method for quickly obtaining pertinent results. Clicking grep cheat sheet gives you a quick rundown of possible regular expressions. You can also obtain information about grep regular expressions by running the command
The File Type function lets you sort all the files in the image by their file type. You simply click Sort Files by Type to bring up a series of check boxes outlining your options. I recommend that you keep the Extension and File Type Validation check box selected because Autopsy will then verify that the file signatures match their file types. When picture files (e.g., .jpg files) are renamed to .doc files, there tends to be an illicit reason. For searches against pictures, you can use the Thumbnail option, which can save a lot of time. Autopsy 1.75 displays the results of such a search in an alternative HTML file. Thus, to see the results, you need to copy the provided URL into your browser.
The Image Details, Meta Data, and Data Unit functions all provide low-level file-system information about the compromised disk being analyzed. (Clicking Image Details in Figure 5 doesn't lead you to the Image Details page in Figure 4, even though they use the same title.) Although useful, these functions produce abstruse output and are recommended for advanced analysts only. Thus, I won't cover these functions here. (If you're an experienced analyst and you'd like information about these functions, go to http:// www.sleuthkit .org.)
Host Manager Options
Now that you've looked at the analyses at the file-system level, let's explore the five options at the bottom of the Host Manager page:
Image Integrity. You can use the Image Integrity option at any time to verify your images. Click Image Integrity, then click the Validate button that's next to the image file you want to check. Autopsy then compares the original MD5 hash for that file against that file's current MD5 hash.
Hash Databases. The Hash Databases option lists whether any databases of Known Good or Known Bad hashes have been loaded and the location from which they were loaded.
View Notes. The View Notes option provides a list of all the notes that have been compiled for the host.
Event Sequencer. The Event Sequencer option provides an easy method for piecing together the clues in an investigation that involves more than one machine. Clicking this option brings you to a chronological list of events for that investigation. If any notes have been made specifying a file's Written, Accessed, or Created time, they're listed here as well.
The Event Sequencer can help you correlate the events of a break-in, but it requires accurate time on all machines involved. If you're simply preparing for the inevitable instead of actively responding to a breach, now is a good time to review your company's method of correlating time between machines. The small amount of time that it takes to install a Network Time Protocol (NTP) server will be invaluable.
File Activity Time Lines. The File Activity Time Lines option creates a complete time line of the Written, Accessed, and Created times for all the files on a compromised disk. This option provides an extremely detailed view of what occurred on the suspect machine. Again, correct times are crucial, but because all the times are from the same machine, the results are inherently more accurate than times from separate machines (unless the intruder has played with the system clock).
When you click File Activity Time Lines, you get a page with a new toolbar that has four options: Create Data File, Create Timeline, View Timeline, and View Notes. First, you must click Create Data File to create a metadata file that Autopsy can work with. Then, you select the image for which you want to calculate the time line and click OK. Next, you click Create Timeline, select the metadata file to use, and specify the starting and ending dates of the time line. Choosing none for both the starting date and the ending date prompts Autopsy to report on all the file-system data. Finally, you need to specify a pathname for the time line and click OK.
Clicking View Timeline gives you a month-by-month description of file-system events. You can click Summary for a list of all the months, the years, and the number of events. You can also page through the list with the links or enter a specific month or year. As Autopsy suggests, you can sometimes digest the data better with a text editor outside of Autopsy. You can find the file in the /evidence_locker_dir/case_dir/host_dir_output/filename directory, where filename is the name that you gave the time line.
In the time line, each line includes the date of the event, the size of the data, the entry type, the mode (e.g., read, write, execute), the User ID (UID), the group ID (GID), the metadata address, and the filename. (The UID and GID aren't applicable for FAT file systems.) The View Notes option brings up the notes screen so that you can quickly add or view a note if something interesting appears.
We've now examined the standard tools that come with Autopsy. Although their numbers are few, their power in the hands of an experienced investigator is amazing. The greatest difficulty in forensic analysis comes not in using the tools, but in knowing where to investigate and in sorting through the voluminous information that's gathered. Although these tools can't complete the arduous task of forensic analysis for you, they'll certainly lead you in the right direction.