|
Forensic investigation using free Linux tools |
|
|
|
Saturday, 06 December 2008 |
|
Page 1 of 2
Here is a scenario you can think about. An administrator of a company has been accused of hoarding illegal material of questionable moral content on his company network system. You have been called upon to examine the suspect server and unearth evidence related to the said illegal material. Your boss has told you that you are not allowed to shutdown the server. Unfortunately no additional money is available to buy forensic tools or equipment. In this workshop we will explain, how to use free forensic tools to investigate such cases.
We will use the following forensic products:
- The Helix 3 Live CD to create a server image on the running system
- PTK and TSK running on a Mandriva 2009 Server to investigate the case
Helix
is a customized distribution of Ubuntu Linux. It is more than just a
bootable live CD. You can still boot into a customized Linux
environment that includes customized linux kernels, excellent hardware
detection and many applications dedicated to Incident Response and
Forensics. You are also able to use Helix tools for acquisition and
investigation on a running Windows system.
The PTK is a
graphical (web-based) interface to the command line digital
investigation analysis tools in The Sleuth Kit. Together, they can
analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2,
Ext2/3). Both The SleuthKit and PTK Source Code are available and run
on UNIX platforms. The file system tools allow you to examine file
systems of a suspect computer in a non-intrusive fashion. Because the
tools do not rely on the operating system to process the file systems,
deleted and hidden content is shown.
The workshop installation could look like this: 
Step 1: Preparing the Mandriva 2009 Server running PTK
First of all, Mandriva 2009 should already run on your server. Make sure to use a powerful machine. We recommend using the following website to add official media and latest update recourses:
http://easyurpmi.zarb.org
The automatic media setup usually works perfect and will help you to get an up-to-date system quickly.
We will use the urpmi command, which allows better and easier package management in your Mandiva box. For more information use the Mandriva Wiki:
http://wiki.mandriva.com/en/Tools/urpmi
Use the following commands to install all necessary software including the dependencies:
urpmi apache-mpm-prefork ## use the stable version
urpmi phpmyadmin ## this will install php as well
urpmi mysql
urpmi afflib ## needed for TSK
urpmi libewf ## needed for TSK
urpmi netcat ## to receive the image from server
urpmi gcc-c++ ## to compile TSK
urpmi make ## to compile TSK
|
Step 2: Downloading and Installing PTK and The Sleuth Kit (TSK)
Download TSK from here and PTK here.
Let’s start with TSK because it is little bit more to do. Just use the following command to unpack, to compile and to install it. We have already installed all dependent files in step 1 using the urpmi command:
tar xzf sleuthkit-3.0.0.tar.gz
cd sleuthkit-3.0.0
./configure
make
make install
|
Depending on your machine, the compilation should take some time. So we can unpack PTK and copy it to the appropriate directory in the meantime like this:
tar xzf ptk-1.0.2.tar.gz
cp –R ptk/ /var/www/html
|
That’s it! How easy can it be? Now worry, the problems will appear in the next step.
Step 3: Fixing problems during the installation process
Let’s first double-check if Apache including php support is really working on your system. Create a small file info.php with the following content and store it in the directory /var/www/html:
Start apache like this:
/etc/init.d/httpd start
If everything is ok, you should use your favourite browser and use the following URL:
http://localhost/info.php
http://localhost/ptk/install.php
As you can see, the install script report a lot of errors we have to fix. Start with the permissions problems. Just add permissions like this:
cd /var/www/html/ptk
chmod 777 config
chmod 777 log
chmod 777 temp
chmod 777 filter
chmod 777 report
chmod 777 images
|
Additionally the installation script cannot find the Sleuthkit files we have compiled in step 2. In this case we have two solutions:
You can either change the install script like explained below or create symbolic links for the necessary files:
Change all related entries in the install.php script
$fsstat = shell_exec("which fsstat");
to the following:
$fsstat = shell_exec('export PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin"; which fsstat');
We decided to create symbolic links like this:
ln-s /usr/local/bin/fsstat /usr/bin/fsstat
ln-s /usr/local/bin/mmls /usr/bin/mmls
ln-s /usr/local/bin/fls /usr/bin/fls
ln-s /usr/local/bin/istat /usr/bin/istat
ln-s /usr/local/bin/icat /usr/bin/icat
and so on ...
|
Click on the “Try again” button the reload the screen. All error messages should disappear.
Let’s continue with step 4. We will later come back to finish the installation.
|
