Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux and Data Forensics?

Posted by Cliff on from the linux-in-a-particular-field dept.

An anonymous reader asks: "Data Forensics has been discussed in the past. I am entering the field soon and aside from rifling through Slashdot and Google and reading some technical data on the software that I am going to be using I haven't had much time to learn everything about the position (I will be officially trained when I move over to the role). I am wondering, though, if Linux has played a strong role in the courtroom when it comes to validating evidence that has been used in a lawsuit case. Those in the field who are reading this, have you used open-source software to prove facts to the court? I don't mean using dd to make an image of a disk but rather a suite of tools whose purpose is to analyze data, indicate relationships, create hash tables, et cetera. That being said, if that software is not available (the programmer side of me asks), is there enough interest in the community to create a package that rivals and is as accountable and recognizable as commercial products?"

14 comments

  1. Well, by Sevn · · Score: 1, Informative

    Almost every single case of spamming or Dos attacks against large ISP's involves some sort of open-source software. I'm not sure you understand how ubiquitous it is. Attacking a mailserver? Probably sendmail or qmail or postfix. That's open-source. Attacking a web server? It's probably apache. That's open source. So are a vast majority of Pop3, Imap, Time, DNS, and ftp servers. I've probably missed some also. A subpeona comes in for data? Someone is usually using open source to look at logs. Probably hopping in vi to check out the logs, running grep on them. All open source.

    --
    For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
  2. Umm... by Anonymous Coward · · Score: 3, Funny

    you didn't understand the question, did you?

  3. As always, google is your friend by UnderScan · · Score: 4, Informative

    Dear anonymous,
    As always, google is your friend.
    My learning disabled kid brother doesn't know what data forensics is, but he knows how to use google.
    Use it.

    http://www.google.com/search?q=knoppix+validation& sourceid=firefox&start=0&start=0&ie=utf-8&oe=utf-8
    http://www.google.com/search?q=linux+forensics&sou rceid=firefox&start=0&start=0&ie=utf-8&oe=utf- 8

    PDF - KNOPPIX Bootable CD Validation Study for Live Forensic Preview ...

    Linux-Forensics.com Home of the Penguin Sleuth Bootable CD

    Knoppix security tools distribution Knoppix STD (security tools distribution)

    From Australian DoD page:http://www.dsd.gov.au/library/software/flag/
    FLAG uses the SleuthKit tool from www.sleuthkit.org to analyse dd images. By putting inode information in the database it is possible to cross-correlate file properties, and simplify the forensic analysis process.

  4. Moderately Useful Point Supporting Linux by Bravo_Two_Zero · · Score: 4, Informative

    No, it's not related to the performance of Linux in the courtroom. But, I do recall reading that Linux is a preferred host for doing forensics (via dedicated tools are even using VMware) since filesystems can be mounted read-only without the need for a hardware switch (like a jumper on the drive). It's a minor point, but potentially useful.

    I've looked at:

    Penguinsleuth
    It's mostly a standard Knoppix CD with some forensics tools added

    SystemRescueCD
    From one of the partimage team members, it's gentoo-based and with a sweet array of boot options, including a boot option for an nt password & registry editor. Oh yeah... partimage is kinda nice for a Ghost-like imaging option.

    --


    Amateurs discuss tactics. Professionals discuss logistics.

  5. Questions Like This Disturb Me by dasunt · · Score: 1, Interesting

    I expect those in Data Forensics to be bright, inquisitive people who are willing to quickly learn new things.

    I expect that the role requires it.

    So, when someone asks "Linux and Data Forensics" without taking a few minutes to think about the problem, it disturbs me.

    Perhaps that person would be better suited for a less imaginative job.

    Off the top of my head, I could figure out several tools useful in data forensics. Copy the original drive block-by-block to a new drive. Mount the copy as read-only. Examine typical file locations for email and web caches. Use find to locate most documents. Use grep to search for specific words. Use find to look for all files newer then a specific date. If you want to get more involved, write up scripts that compare the drive to an original OS install and find differences. Write scripts that go through the drive and figure out what each file is. Etc, etc.

    Learn how a few common unix commands work, and learn perl. You should be set.

    Just my $.02

    1. Re:Questions Like This Disturb Me by RevDobbs · · Score: 4, Insightful
      Off the top of my head, I could figure out several tools useful in data forensics. Copy the original drive block-by-block to a new drive.

      The original question stated "I don't mean using dd to make an image of a disk but rather a suite of tools whose purpose is to analyze data, indicate relationships, create hash tables, et cetera.". But you start off attcking the inquirer, demonstrate a use he specifically mentioned, and then answer his "suite of tools" question with "well, I guess you can whip something up with perl & grep".

      No one is making anyone read slashdot... bitching about the quality of the posts is pointless AND counter-productive. You obviously don't have a unique perspective into computer forensics, so why don't you just step back and maybe learn something from an informed poster? And I'm not attacking just dasunt, but anyone who insists on bitching about the slashdot and it's content. And yes, I chose to post (off topic, but hopefully informative) instead of just moderating dasunt down.

    2. Re:Questions Like This Disturb Me by Anonymous Coward · · Score: 0

      The notion of perl being used for something as important as forensics disturbs me.

    3. Re:Questions Like This Disturb Me by Glamdrlng · · Score: 3, Informative
      Off the top of my head, I could figure out several tools useful in data forensics.
      What you can figure out means jack shit. If you use a single one of those tools on media that wasn't acquired through forensically sound means then you just botched your evidence. And guess what, mounting a drive read-only is a practice that can be impeached. Congratulations, that hard drive full of teh kiddy pr0n is now inadmissable.

      What Cliff understands and you don't is that effectiveness is only half the requirement for forensics tools. Such tools also have to be accepted by the court, either through legal precedent or through expert testimony. Expert testimony involves either paying someone with degrees and credentials out the ass to back up your forensic methods (not cheap) or qualifying you the examiner as an expert witness (may not work, also takes time which leads to more legal fees, not cheap).

      More importantly, a forensic kit needs to include the ability to quickly view multiple file types. One investigation can easily involve stacks of floppies, CD's, and SD cards as well as a laptop hard drive and desktop hard drive. Scripted searches are great, but those results need to be easily indexed and viewed through a multi-format file viewer or you won't be able to generate timely analyses.

      Don't get me wrong. I'd love to see linux forensics tools admitted in court, but what you're talking about is writing your own toolkit from scratch, not pencil whipping a few scripts. Why would you go to that much trouble when you could just use encase or FTK and know that your evidence will be admitted?
      --

      Yes, my only tool is a hammer. And you're starting to look like a nail.
  6. Circumventing security by niteice · · Score: 1

    Since the current Linux NTFS driver ignores security settings (like password-protected profiles) when mounting a drive, a Damn Small Linux CD can be useful for data extraction if someone hastily tried to cover their tracks.

    --
    ROMANES EUNT DOMUS
  7. Sleuth Kit/Autopsy by Patman · · Score: 4, Informative

    I do data forensics work for a living.

    THe Sleuth Kit and the Autopsy frontend are outstanding tools. Use a Knoppix or FIRE CD plus an external hard drive for acquisitions.

    However, I would HIGHLY HIGHLY recommend that you take some training. SANS has a track for forensics that is pretty damn good. At the very least, it'll get you comfortable with the tools and tactics.

    1. Re:Sleuth Kit/Autopsy by vettemph · · Score: 1
      I've encounter a stock suse 9.1 personal install with no swap partition and an AES256 /home.

      Any suggestions on how to get in?

      --
      The government which is strong enough to protect you from everything is strong enough to take everything from you.
  8. Re:"HIGHLY recommend that you take some training" by Anonymous Coward · · Score: 0

    I'd like to see someone try and testify as an expert witness to data they uncovered without training. A halfway competent judge and/or opposing counsel would rip you to shreds for this.

    It's not about uncovering the data, it's about doing it properly. This won't happen if you're putting together your own toolsets in Perl at the moment you're conducting the investigation.

    Chain of custody, best practices, data preservation, peer review of procedures, and other CYA tactics that affect your procedure are taught in those training classes as well. When you're in the hot seat, this is all you can fall back upon.

  9. Yahoo Groups by kucenskm · · Score: 4, Informative

    Check out the Linux_Forensics group on yahoo. There are a lot of people with more experience than I who could answer the court question you posed.

    As far as tools are concerned, the Sleuthkit (http://www.sleuthkit.org) is the (IMO) best tool for the job and since it is already open source, modifications can be made and submitted back to the community for use.

    I have spent the last few month immersing myself in this field and I've been learning something new everyday. Particularly about the guts of various file systems. Loads of fun :)

    -Matt