diff --git a/manuscript/chapter10.txt b/manuscript/chapter10.txt index 423a9c7..57681c2 100644 --- a/manuscript/chapter10.txt +++ b/manuscript/chapter10.txt @@ -9,13 +9,13 @@ C> By [Barry Grundy](https://github.com/bgrundy) | [Website](https://linuxleo.co There are plenty of resources available on what Linux is, what roles it fills, and how it compares with other operating systems. Here we will discuss Linux from the perspective of digital forensics and incident response. -There have been many discussions about what defines Linux. The classical definition is that Linux is a kernel (the "brains" of the operating system) augmented by user space drivers, utilities, and applications that allow us to interact with a computer in a useful manner. For the sake of simplicity, we extend the name "Linux" to encompass the entire operating system, and even the applications that can be bundled and distributed. +There have been many discussions about what defines Linux. The classical definition is that Linux is a kernel (the "brains" of the operating system) augmented by user space drivers, utilities, and applications that allow us to interact with a computer in a useful manner. For the sake of simplicity, we extend the name "Linux" to encompass the entire operating system and even the applications that can be bundled and distributed. -Linux was developed by Linus Torvalds at the University of Helsinki back in the early 1990's. It was, essentially, a "hobby" version of UNIX created for PC hardware. +Linux was developed by Linus Torvalds at the University of Helsinki back in the early 1990s. It was, essentially, a "hobby" version of UNIX created for PC hardware. {pagebreak} -On 25 August, 1991, Torvalds posted this to the Usenet group comp.os.minix: +On 25 August 1991, Torvalds posted this to the Usenet group comp.os.minix: > Hello everybody out there using minix > I'm doing a (free) operating system (just a hobby, won't be big and @@ -38,13 +38,13 @@ On 25 August, 1991, Torvalds posted this to the Usenet group comp.os.minix: > AT-harddisks, as that's all I have :-(. > --Linus Torvalds (quoted from [Wikipedia](https://en.wikipedia.org/wiki/History_of_Linux#The_creation_of_Linux))} -Modern Linux is an operating system very similar to Unix, deriving most of its functionality from the much older AT&T Unix originally developed in in the 1970's. This included a full TCP/IP stack and GNU development tools to compile programs. In short, Linux is mostly compliant with the Portable Operating System Interface for Unix (POSIX). +Modern Linux is an operating system very similar to Unix, deriving most of its functionality from the much older AT&T Unix originally developed in the 1970s. This included a full TCP/IP stack and GNU development tools to compile programs. In short, Linux is mostly compliant with the Portable Operating System Interface for Unix (POSIX). Despite the warnings of lack of architecture portability and limited support mentioned by Torvald's postscript, Linux has grown to a fully functioning operating system that supports a great deal of modern hardware. Standard SATA hard drives through modern M.2 and NVMe storage are robustly supported. Drivers and software support for newer motherboards and associated hardware are constantly improving and growing. The Linux kernel, where most of this support resides, has a very fast production cycle, and support for newer devices (where specifications are available) is rapidly added in most cases. -For the digital forensics practitioner, this hardware compatibility issue can be exceedingly important. Not only must we verify and _test_ that our hardware is properly supported and functioning as intended; we also need to ensure that any subject hardware we might need to directly attach to our system (which we might do for a variety of reasons) is also properly detected and supported. This is often done via direct physical connection, or via boot media on a subject system. +For the digital forensics practitioner, this hardware compatibility issue can be exceedingly important. Not only must we verify and _test_ that our hardware is properly supported and functioning as intended; but we also need to ensure that any subject hardware we might need to directly attach to our system (which we might do for a variety of reasons) is also properly detected and supported. This is often done via a direct physical connection, or via boot media on a subject system. -While we have given a very general definition of what Linux is and where it originated, we should also mention what Linux is _not_, particularly where digital forensics is concerned. We will cover _why_ you might want to use Linux for digital forensics in a later section, but for now a beginner forensics examiner should know that Linux is not a platform well-suited to "point-and-click", or what some might refer to as "Nintendo forensics" techniques. While there are graphical user interface (GUI) tools available for Linux, it is not the strongest OS for that approach. More on that later. +While we have given a very general definition of what Linux is and where it originated, we should also mention what Linux is _not_, particularly where digital forensics is concerned. We will cover _why_ you might want to use Linux for digital forensics in a later section, but for now, a beginner forensics examiner should know that Linux is not a platform well-suited to "point-and-click", or what some might refer to as "Nintendo forensics" techniques. While there are graphical user interface (GUI) tools available for Linux, it is not the strongest OS for that approach. More on that later. Linux can be fairly easy to install, particularly given modern desktop GUI front ends for configuration and settings. However, Linux is **NOT** a "better Windows". Linux should not be approached as a replacement to Microsoft Windows - one that acts like Windows and is supposed to be familiar to someone who has been using Windows (or macOS for that matter) for years. Linux works very differently from some more mainstream operating systems. There is a steep learning curve and troubleshooting can seem overwhelming to someone used to running Windows on their computer. It is possible to use Linux as a primary driver for digital forensics, and many digital forensic practitioners have done this for years. That said, while Linux can be a fantastic learning tool and a great way to access forensic and operating system utilities on an alternative platform, it will remain a secondary operating system for most people new to the field. @@ -60,25 +60,25 @@ If you are a student of digital forensics or a practitioner looking to better un Particularly for students, the sheer number of free tools available for Linux - not to mention the standard operating system utilities - make it accessible to all levels of income. No need for expensive licenses or dongles to be able to do a full analysis or participate in training. While it is true that many open source digital forensics utilities will compile and run natively on Windows, the ability to run multiple copies of Linux, either on physical computers or virtual machines, still makes it an attractive alternative for learning. -Many of the tools available for digital forensics on Linux are meant to be used with the command line interface (CLI). To a beginner it can certainly appear to be daunting. But learning at the CLI removes the clutter of a GUI and all the menus and mouse clicks required to complete a task. Most Unix tools adhere to the philosophy that they should do one thing, and do it well. As you learn what each tool does and how it works, you can string commands together to accomplish a whole series of steps with one command using multiple tools all at once (commonly referred to as _piping_). This approach allows you to concentrate on the results rather than on an interface with multiple windows and views to sort through. Again this is a benefit for education specifically. There is no doubt that a forensic software suite that ingests, analyzes evidence, and presents the results in a single step is more _efficient_. But learning from the CLI with specific and very targeted output can be immensely powerful for students. +Many of the tools available for digital forensics on Linux are meant to be used with the command line interface (CLI). To a beginner, it can certainly appear to be daunting. But learning at the CLI removes the clutter of a GUI and all the menus and mouse clicks required to complete a task. Most Unix tools adhere to the philosophy that they should do one thing, and do it well. As you learn what each tool does and how it works, you can string commands together to accomplish a whole series of steps with one command using multiple tools all at once (commonly referred to as _piping_). This approach allows you to concentrate on the results rather than on an interface with multiple windows and views to sort through. Again this is a benefit for education specifically. There is no doubt that a forensic software suite that ingests, analyzes evidence, and presents the results in a single step is more _efficient_. But learning from the CLI with specific and very targeted output can be immensely powerful for students. ### Free(dom)! -Freedom and flexibility are just two of the many attributes that can help make Linux a useful addition to a forensic examiner's tool box. +Freedom and flexibility are just two of the many attributes that can help make Linux a useful addition to a forensic examiner's toolbox. -First and foremost of course, Linux is free. As mentioned earlier, this means we can install it as many times on as many computers (or virtual machines) as we like. You can use it as any sort of server while not tying up valuable budget resources on licensing. This goes for the forensic software as well. You can install, copy, and share across multiple platforms and users, again without breaking the bank. +First and foremost, of course, Linux is free. As mentioned earlier, this means we can install it as many times on as many computers (or virtual machines) as we like. You can use it as any sort of server while not tying up valuable budget resources on licensing. This goes for the forensic software as well. You can install, copy, and share across multiple platforms and users, again without breaking the bank. -For a practitioner learning the ins and outs of digital forensics, this can be very powerful. You can install multiple copies of Linux across devices and virtual environments in a simple home lab; deleting, reinstalling and repurposing computer resources along the way. Installing and running Linux is a great way to re-purpose old hardware, which brings us to our next point. +For a practitioner learning the ins and outs of digital forensics, this can be very powerful. You can install multiple copies of Linux across devices and virtual environments in a simple home lab; deleting, reinstalling, and repurposing computer resources along the way. Installing and running Linux is a great way to re-purpose old hardware, which brings us to our next point. Linux provides unparalleled flexibility. It will run on all forms of hardware, from laptop and desktop computers, to mobile devices and single board computers (SBC). It will run in a variety of virtualization environments, up to and including Microsoft Windows's own Windows Subsystem for Linux (WSL/WSL2). You can choose to run a Linux distribution on a workstation, on a $50 Raspberry Pi, in a virtual machine, or natively in Windows using WSL. These all have their benefits and drawbacks including cost, direct hardware access, convenience, and resource requirements. Another facet of Linux's flexibility lies in the number of choices, freely available, that users have over their working environment. Desktop environments like [KDE/Plasma](https://kde.org/plasma-desktop/), [Gnome](https://www.gnome.org/) and [XFCE](https://www.xfce.org/) provide a wide range of choices that a user can customize for aesthetics or workflow efficiency. These desktop environments don't change the underlying operating system, but only the way one interacts with that system. Paired with a separate _window manager_, there are hundreds of possibilities for customization. While it may sound trivial, we are not discussing wallpaper and icon themes here. We are talking about the flexibility to decide exactly *how* you interact with your workstation. -For example, you can set up a Linux environment that focuses on primarily CLI usage where the keyboard is the primary interface and the mouse is rarely needed. This can be done with a wide selection of "tiling" window managers that open new windows in a pre-determined arrangement and allow for window manipulation, multiple workspaces and program access all through customizable keystrokes and little or no use for a mouse. This is certainly not a configuration that will appeal to everyone, but that is one of the joys of Linux - the ability to completely customize it to match your particular workflow. +For example, you can set up a Linux environment that focuses on primarily CLI usage where the keyboard is the primary interface and the mouse is rarely needed. This can be done with a wide selection of "tiling" window managers that open new windows in a pre-determined arrangement and allow for window manipulation, multiple workspaces, and program access all through customizable keystrokes and little or no use for a mouse. This is certainly not a configuration that will appeal to everyone, but that is one of the joys of Linux - the ability to completely customize it to match your particular workflow. ### Control -Another traditional benefit of Linux over other operating systems has historically been the control it provides over attached devices. This has always been one of the more important factors when adopting Linux in the context of a forensic workstation. Most operating systems are designed to isolate the user from the inner workings of hardware. Linux, on the other hand, has traditionally allowed for much more granular control over attached devices and the associated drivers. This has blurred somewhat in recent years with a number of popular Linux versions becoming more desktop oriented and relying more and more on automation and ease of operation. While this approach does hide some of the control options from the user, they are generally still available. +Another traditional benefit of Linux over other operating systems has historically been the control it provides over attached devices. This has always been one of the more important factors when adopting Linux in the context of a forensic workstation. Most operating systems are designed to isolate the user from the inner workings of hardware. Linux, on the other hand, has traditionally allowed for much more granular control over attached devices and the associated drivers. This has blurred somewhat in recent years with a number of popular Linux versions becoming more desktop-oriented and relying more and more on automation and ease of operation. While this approach does hide some of the control options from the user, they are generally still available. Again, with advances in recent years, this level of hardware control is not as exclusive to Linux as it once was. @@ -88,11 +88,11 @@ All of the preceding might come across as pushing Linux as a superior operating It is absolutely possible to utilize Linux as a primary digital forensic platform in today's laboratory environment. It is also a reality that providing timely and usable information for non-technical investigators and managers often means utilizing the reporting and data sharing functionalities available in modern forensic software suites that most often run under mainstream operating systems and not Linux. -So where does Linux fit into a modern laboratory where reality and case load dictates the use of software suites with automated functionality? +So where does Linux fit into a modern laboratory where reality and caseload dictate the use of software suites with automated functionality? As an alternative operating system, Linux is often used to troubleshoot hardware issues where one platform either cannot detect or cannot access particular media. Linux is well known for its ability to provide better diagnostic information and sometimes better detection for damaged or otherwise misbehaving devices. When dealing with difficulties accessing a hard drive, for example, you will often hear the advice "connect it to a Linux box". Being able to directly monitor the kernel buffer and view the interactions between hardware and the kernel can be a great help in solving hardware issues. -There is also the benefit of having a completely different operating system utilizing a different tool set for cross verification of findings. In some organizations, the cross verification of significant analysis results is a requirement. Depending on the situation, validating a result can make good sense even when it is not explicitly required. Cross verification means that if a practitioner finds an artifact or draws a particular conclusion on a given piece of evidence, the finding can be reproduced using a different tool or technique. +There is also the benefit of having a completely different operating system utilizing a different toolset for cross-verification of findings. In some organizations, the cross-verification of significant analysis results is a requirement. Depending on the situation, validating a result can make good sense even when it is not explicitly required. Cross verification means that if a practitioner finds an artifact or draws a particular conclusion on a given piece of evidence, the finding can be reproduced using a different tool or technique. {pagebreak} @@ -103,9 +103,9 @@ Consider the following simplified example: 3. The forensic examiner provides a targeted report detailing the document's properties: timestamps, ownership, where or how it might have originated on the media, etc. 4. The forensic examiner re-analyzes the specific document using a completely different tool perhaps on a completely different operating system (Linux in this case). Does the alternate tool identify the same location (physical disk location)? Are the timestamps the same? Is the document metadata the same? Differences, if any, are investigated and explained. -The cross verification outlined above is somewhat simplified, but it provides an outline of how Linux can be employed in a laboratory environment dominated by Windows software and the need for efficient reporting. Using an alternative operating system and unique open source tools to cross verify specific findings can help eliminate concerns about automated processes and the integrity of reports. +The cross verification outlined above is somewhat simplified, but it provides an outline of how Linux can be employed in a laboratory environment dominated by Windows software and the need for efficient reporting. Using an alternative operating system and unique open source tools to cross-verify specific findings can help eliminate concerns about automated processes and the integrity of reports. -Another benefit of using Linux to cross verify findings is that you will learn the OS as you integrate it into your workflow rather than simply installing it and trying to make time to learn. +Another benefit of using Linux to cross-verify findings is that you will learn the OS as you integrate it into your workflow rather than simply installing it and trying to make time to learn. ## Choosing Linux @@ -113,9 +113,9 @@ How does one start a journey into using Linux for digital forensics? We begin wi ### Distributions -A Linux distribution (or "distro" for short) is a collection of Linux components and compiled open source programs that are bundled together to create an operating system. These components can include a customized and packaged kernel, optional operating system utilities and configurations, custom-configured desktop environments and window managers, and software management utilities. These are all tied together with an installer that is usually specific to the given distribution. +A Linux distribution (or "distro" for short) is a collection of Linux components and compiled open-source programs that are bundled together to create an operating system. These components can include a customized and packaged kernel, optional operating system utilities and configurations, custom-configured desktop environments and window managers, and software management utilities. These are all tied together with an installer that is usually specific to the given distribution. -Because of the open source nature of the Linux environment, you could grab all the source code for the various components and build your very own distribution, or at least a running version of Linux. This is often referred to as "Linux from Scratch" (LFS). With a distribution, the developers do all the heavy lifting for you They package it all up and make the entire operating system available to you for install via a variety of methods. +Because of the open-source nature of the Linux environment, you could grab all the source code for the various components and build your very own distribution, or at least a running version of Linux. This is often referred to as "Linux from Scratch" (LFS). With a distribution, the developers do all the heavy lifting for you They package it all up and make the entire operating system available to you for installation via a variety of methods. {pagebreak} @@ -133,21 +133,21 @@ So how does one choose a Linux distro, particularly for use as a digital forensi ### Choosing Your Platform -From the perspective of a digital forensics examiner, any distro will work within reason. The simplest answer is to download any popular distribution and just install it. In the long run just about any flavor of Linux can be made to act and "feel" like any other. +From the perspective of a digital forensics examiner, any distro will work within reason. The simplest answer is to download any popular distribution and just install it. In the long run, just about any flavor of Linux can be made to act and "feel" like any other. If you want to do some research first, consider looking at what is already in use. Does your lab or agency already use Linux in the enterprise? It may be a good idea to use a Linux version that closely matches what your organization already has deployed. If part of your job is to respond to company or agency incidents, a more intimate knowledge of the systems involved would be helpful. Another legitimate answer to the question of "which distro?" is simply to see what others around you are running. If you have co-workers or labmates that are running a specific version of Linux, then it makes sense to do the same. Being able to consult with co-workers and friends makes getting support much easier. -There are, however, other points that might warrant scrutiny. Ubuntu, as popular as it is, has drifted toward a more desktop oriented operating system. Configuration options and system settings have been made much easier through a number of GUI utilities and enhancements that make the distribution more focused on ease of use - the end user still has access to in-depth control of the operating system, but there might be some work involved in disabling some of the automation that might hamper forensic work (automatic mounting of attached storage, for example). +There are, however, other points that might warrant scrutiny. Ubuntu, as popular as it is, has drifted toward a more desktop-oriented operating system. Configuration options and system settings have been made much easier through a number of GUI utilities and enhancements that make the distribution more focused on ease of use - the end user still has access to in-depth control of the operating system, but there might be some work involved in disabling some of the automation that might hamper forensic work (automatic mounting of attached storage, for example). -Other Linux distributions offer a far more simple approach - minimally configured "out of the box", leaving it completely up to the user to configure the bells and whistles often considered normal features for modern operating systems. Distributions like Slackware, Void Linux and Gentoo fall into this category. With these distributions, rather than making systemic changes to a heavily desktop oriented configuration, you can start with a more streamlined workstation and work up, building a more efficient system. The learning curve, however, is steeper. +Other Linux distributions offer a far more simple approach - minimally configured "out of the box", leaving it completely up to the user to configure the bells and whistles often considered normal features for modern operating systems. Distributions like Slackware, Void Linux, and Gentoo fall into this category. With these distributions, rather than making systemic changes to a heavily desktop-oriented configuration, you can start with a more streamlined workstation and work up, building a more efficient system. The learning curve, however, is steeper. -Another consideration is the choice between a rolling release and an incremental release distro. Most operating systems are released in discrete numbered versions. Version X is released on a given date and typically receives only security updates and bug fixes before the next major version. Eventually another release, version Y, is made available and so on. Distributions like Slackware, Debian and (generally) Ubuntu fall into this category. For the most part, this release schedule is more stable, because components of the desktop and operating system are updated and tested together before release. For the forensic examiner this approach introduces fewer mass changes to kernel components and software libraries that might affect the forensic environment or impact evidence integrity and the interpretation of examination results. +Another consideration is the choice between a rolling release and an incremental release distro. Most operating systems are released in discrete numbered versions. Version X is released on a given date and typically receives only security updates and bug fixes before the next major version. Eventually, another release, version Y, is made available and so on. Distributions like Slackware, Debian, and (generally) Ubuntu fall into this category. For the most part, this release schedule is more stable, because components of the desktop and operating system are updated and tested together before release. For the forensic examiner, this approach introduces fewer mass changes to kernel components and software libraries that might affect the forensic environment or impact evidence integrity and the interpretation of examination results. A rolling release, on the other hand, continually updates software as new versions become available for everything from the kernel to base libraries. This has the benefit of always keeping up with the "latest and greatest". Changes to upstream software are often immediately supported, though the overall experience may be slightly less stable and polished. One obvious downside to choosing a rolling distro is that wholesale changes to the operating system should trigger some validation testing from the forensic examiner. There should be no doubt that a digital forensics platform is operating exactly as expected. Constant mass upgrades can interfere with this by possibly breaking or changing expected outputs or hardware behavior. Examples of rolling release distros include Arch, Manjaro, Void, and Ubuntu _Rolling Rhino_. -There also exist ready-made distributions specifically designed for digital forensics. Kali Linux, Caine and Tsrugi Linux are common examples. These are generally used as bootable operating systems for live investigations, but can also be installed directly on hardware to use in a lab. These systems are ready to go with just about all the forensic software one might need to conduct digital forensics, incident response, or even Open Source Intelligence (OSINT). From an education perspective, ready made forensic distributions have you up and running quickly, ready to learn the tools. What you might miss however is actually setting up, finding, and installing the tools yourself, all of which are part of the educational process. +There also exist ready-made distributions specifically designed for digital forensics. Kali Linux, Caine, and Tsrugi Linux are common examples. These are generally used as bootable operating systems for live investigations, but can also be installed directly on hardware to use in a lab. These systems are ready to go with just about all the forensic software one might need to conduct digital forensics, incident response, or even Open Source Intelligence (OSINT). From an education perspective, ready-made forensic distributions have you up and running quickly, ready to learn the tools. What you might miss however is actually setting up, finding, and installing the tools yourself, all of which are part of the educational process. If there are no organizational considerations, then consider using a popular distribution with wide acceptance in the community. Ubuntu is the first distribution that comes to mind here. Much of the forensic software available today for Linux is developed and tested on Ubuntu. There is a huge support community for Ubuntu, so most questions that arise already have easily-accessible answers. While this can be said for other distributions (Arch Linux comes to mind), Ubuntu is certainly the most ubiquitous. @@ -159,15 +159,15 @@ It may be helpful to create a virtual machine snapshot with the setup you come t ## Learning Linux Forensics -There are copious resources available for Linux learners, from distribution-specific tutorials and Wiki pages to command line-oriented blogs and websites. You can take an online course from Udemy, edX, or even YouTube. Numerous presses publish dozens of books every year. +There are copious resources available for Linux learners, from distribution-specific tutorials and Wiki pages to command-line-oriented blogs and websites. You can take an online course from Udemy, edX, or even YouTube. Numerous presses publish dozens of books every year. The digital forensics niche in Linux is no exception, though you may have to dig a bit for the specific resources you need. Whether you are interested in "Linux forensics" as in using Linux as your forensic platform or as digital forensics specifically on Linux systems, there is no shortage of material for the motivated student. ### Linux as a Platform -Most of what we have covered so far assumes an interest in choosing and installing Linux for use as a platform to perform forensics, either as a primary operating system, or as an adjunct for cross verification. +Most of what we have covered so far assumes an interest in choosing and installing Linux for use as a platform to perform forensics, either as a primary operating system or as an adjunct for cross verification. -To use Linux this way, first we learn the operating system itself: installation, configuration, network environment, and interface. This is common to all users, whether or not the system will be used for digital forensics. We, however, must consider in particular whether there are any "out-of-the-box" configurations or automations that interfere with evidence collection or integrity. +To use Linux this way, first, we learn the operating system itself: installation, configuration, network environment, and interface. This is common to all users, whether or not the system will be used for digital forensics. We, however, must consider in particular whether there are any "out-of-the-box" configurations or automations that interfere with evidence collection or integrity. Second, there are the tools we need to learn. These fall into a number of categories: @@ -181,23 +181,23 @@ Second, there are the tools we need to learn. These fall into a number of catego There are specific tools (with some crossover) for each of these categories that we'll cover in the next sections. -The Law Enforcement and Forensic Examiner's Introduction to Linux, the [LinuxLEO guide](https://www.linuxleo.com), is available for free. Written by the same author as this chapter, the guide was produced as a complete guide for beginners. It covers installing Linux, learning the operating system, and using forensic tools to conduct hands on exercises using sample practice files. The materials are freely available at https://www.linuxleo.com. +The Law Enforcement and Forensic Examiner's Introduction to Linux, the [LinuxLEO guide](https://www.linuxleo.com), is available for free. Written by the same author as this chapter, the guide was produced as a complete guide for beginners. It covers installing Linux, learning the operating system, and using forensic tools to conduct hands-on exercises using sample practice files. The materials are freely available at https://www.linuxleo.com. {pagebreak} ### Linux as a target -Perhaps you have no specific desire to use Linux as a day to day forensic platform. There is, however, something to be said for knowing how Linux works and where to look for evidence should you be assigned an analysis where the subject device runs a version of Linux. +Perhaps you have no specific desire to use Linux as a day-to-day forensic platform. There is, however, something to be said for knowing how Linux works and where to look for evidence should you be assigned an analysis where the subject device runs a version of Linux. -For years now, Linux has been a popular server operating system, utilized in enterprise environments across the world. In the past few years, there has been a steady growth of "desktop" Linux, particularly with the emergence of user-oriented distributions like Ubuntu, Mint and derivations based on them. A growth in Linux-compatible software for specialized tasks such as video editing, publishing, and even gaming has resulted in Linux being more widely adopted. While the platform has always been well-represented in academia, the proliferation of Linux desktop applications has resulted in a much wider user base. +For years now, Linux has been a popular server operating system, utilized in enterprise environments across the world. In the past few years, there has been a steady growth of "desktop" Linux, particularly with the emergence of user-oriented distributions like Ubuntu, Mint, and derivations based on them. A growth in Linux-compatible software for specialized tasks such as video editing, publishing, and even gaming has resulted in Linux being more widely adopted. While the platform has always been well-represented in academia, the proliferation of Linux desktop applications has resulted in a much wider user base. Given the popularity of the Android operating system, which is (in simple terms) based on Linux, there has always been a stronger need for familiarity with Linux in the analysis of mobile devices. Note, however, that Android is not the same as the Linux we find on desktop computers. They are similar for sure, but their file system structures and application analysis are widely divergent. -One of the biggest issues that arises when examining a Linux system is the breadth of options available to a user in a customized desktop or server. For example, an examiner must be at least somewhat familiar with a subject computer's _init_ system. Most modern distributions use _systemd_ to control processes and logging. Other distributions rely on the older text based _BSD init_ or _System V_ process scripts. In either case and depending on the nature of the investigation, knowing how processes are started and how they are stopped might be an important part of the forensic puzzle. +One of the biggest issues that arise when examining a Linux system is the breadth of options available to a user on a customized desktop or server. For example, an examiner must be at least somewhat familiar with a subject computer's _init_ system. Most modern distributions use _systemd_ to control processes and logging. Other distributions rely on the older text-based _BSD init_ or _System V_ process scripts. In either case and depending on the nature of the investigation, knowing how processes are started and how they are stopped might be an important part of the forensic puzzle. Tracking and identifying _user activity_ is often another important piece of the puzzle. With Linux, regardless of distribution, users have a wide range of choices for desktop environments, window managers, file managers, and many other desktop components. All of these components, some used in combination, store configuration and user activity in different formats and locations which makes having intimate knowledge of every possible iteration very difficult. -Even the very low level components of a Linux installation can differ - even within a single distribution. Users can choose a different bootloader (which loads the operating system) or a different file system format for various partitions. Most Linux distributions will use the Ext4 file system by default, but it's a simple matter to select and install any number of others depending on preference and use case: btrFS, XFS, ZFS, JFS are all file systems you might encounter. Should an examiner come across one of these, consideration would need to be given to file recovery, allocation strategies to help determine file activity, and perhaps forensic software support. +Even the very low-level components of a Linux installation can differ - even within a single distribution. Users can choose a different bootloader (which loads the operating system) or a different file system format for various partitions. Most Linux distributions will use the Ext4 file system by default, but it's a simple matter to select and install any number of others depending on preference and use case: btrFS, XFS, ZFS, JFS are all file systems you might encounter. Should an examiner come across one of these, consideration would need to be given to file recovery, allocation strategies to help determine file activity, and perhaps forensic software support. All of these are challenges with examining any of the myriad permutations of Linux. There are a few books covering the basics of Linux examinations. Much of the information available from a forensic perspective can also be found in videos and seminars. For anyone looking for a challenging focus for research or a subject for an academic project, Linux as a forensic target provides ample subject matter for unique content. @@ -261,11 +261,11 @@ There are far too many tools to cover in a single chapter. Again, documents like The acquisition tools in the above table work in generally the same manner, creating "bit for bit" or _raw_ images that are essentially exact duplicates of the storage media being imaged. `dd` is the original Linux tool used for basic forensic imaging. It was not explicitly designed for that, but it is useful in a pinch, particularly because it will be available on just about any Unix or Linux system you might come across. -Variants of `dd` include `dc3dd` and `dcfldd`. These are both forks of `dd` that were coded specifically with digital forensics and media acquisition in mind. Both include logging and built-in hashing capabilities with a multiple available hash algorithms. There are also options to directly split the output files for easier handling. +Variants of `dd` include `dc3dd` and `dcfldd`. These are both forks of `dd` that were coded specifically with digital forensics and media acquisition in mind. Both include logging and built-in hashing capabilities with multiple available hash algorithms. There are also options to directly split the output files for easier handling. Command line imaging tools like `dd` and those based on it can seem a bit confusing to use at first, but they all follow the same basic command layout. In simplest terms, you have an **input file** defined by `if=/dev/`. This is our subject media - the media we are imaging and will eventually examine. -The **output file** - the image file we are writing to, is defined with `of=`. The file name is arbitrary, but general convention is to use a `.dd` or `.raw` extension for images created with `dd`. The forensic-specific versions of `dd` extend the options. Using `dc3dd` as an example, the output file can be defined with `hof= hash=algorithm` to specify hashing the input media and the resulting image. An examiner can also split the output into smaller segments using `ofs= ofsz=`. Combining the options gives a split file with all the segments and the original media hashed using `hofs= hash= ofsz=`. The entire output can be documented with the `log=` option. We will see an example of this in the scenario in the next section. +The **output file** - the image file we are writing to, is defined with `of=`. The file name is arbitrary, but the general convention is to use a `.dd` or `.raw` extension for images created with `dd`. The forensic-specific versions of `dd` extend the options. Using `dc3dd` as an example, the output file can be defined with `hof= hash=algorithm` to specify hashing the input media and the resulting image. An examiner can also split the output into smaller segments using `ofs= ofsz=`. Combining the options gives a split file with all the segments and the original media hashed using `hofs= hash= ofsz=`. The entire output can be documented with the `log=` option. We will see an example of this in the scenario in the next section. Learning how to image with Linux command line tools is a useful skill for all digital forensic practitioners. Using Linux bootable media to access in-situ media is not uncommon. @@ -275,7 +275,7 @@ Learning how to image with Linux command line tools is a useful skill for all di #### Evidence Integrity -In general, command line collection of a forensic image should include calculation of a hash _prior_ to imaging. This is usually followed by a hash of the resulting forensic image. In recent years, industry practitioners have taken to relying on the built in hashing capabilities of their imaging tools to do the work for them. Manual hashing is both a good idea and a good skill to have. +In general, command line collection of a forensic image should include calculation of a hash _prior_ to imaging. This is usually followed by a hash of the resulting forensic image. In recent years, industry practitioners have taken to relying on the built-in hashing capabilities of their imaging tools to do the work for them. Manual hashing is both a good idea and a good skill to have. The algorithm you select to hash with (MD5, SHA1, etc.) will be determined by your organization's policies and the standards you are working under. Issues surrounding hash algorithm selection are outside the scope of this chapter. @@ -352,17 +352,17 @@ Again, for a more detailed look at The Sleuthkit refer to the [LinuxLEO Guide](h Digital forensics is far more than just recovering deleted files. There are databases to parse, temporal data to extract and organize, and other artifacts to review and make sense of. Operating system changes, application version changes, and various format changes make keeping our knowledge up to date a challenging prospect. -Luckily, there are a great many open source projects that specifically address the collection and analysis of everything from macOS plist to Windows shellbags. Using them might not be as simple as clicking a line item in a GUI forensic suite or selecting a specific view in a menu. But again, the open source tools very often provide a simple command line interface to provide an uncluttered look at the data we need most. In addition, many of these tools provide _libraries_ to allow developers to include artifact parsing capabilities in more feature rich tools. One example of this is _Autopsy_, a GUI digital forensic tool that utilizes Sleuthkit libraries to parse disk images, storage volumes, and file systems. Additional functionality is provided by external open source libraries for artifact parsing and timeline creation. +Luckily, there are a great many open source projects that specifically address the collection and analysis of everything from macOS plist to Windows shellbags. Using them might not be as simple as clicking a line item in a GUI forensic suite or selecting a specific view in a menu. But again, the open source tools very often provide a simple command line interface to provide an uncluttered look at the data we need most. In addition, many of these tools provide _libraries_ to allow developers to include artifact parsing capabilities in more feature-rich tools. One example of this is _Autopsy_, a GUI digital forensic tool that utilizes Sleuthkit libraries to parse disk images, storage volumes, and file systems. Additional functionality is provided by external open-source libraries for artifact parsing and timeline creation. -For those examiners that are proficient in the Python language, there are often specific Python libraries that can be used to parse artifacts. In some cases the previously mentioned open source libraries will include _bindings_ that provide Python code allowing us to write scripts that can parse artifacts of interest. +For those examiners that are proficient in the Python language, there are often specific Python libraries that can be used to parse artifacts. In some cases, the previously mentioned open source libraries will include _bindings_ that provide Python code allowing us to write scripts that can parse artifacts of interest. One example of this is the [libewf](https://github.com/libyal/libewf) project. This library provides access to Expert Witness Format (EWF) images created by many acquisition utilities. The project includes tools like `ewfacquire`, `ewfmount` and `ewfinfo` to acquire and directly interact with common `.E01` images. In addition to the tools, there are also libraries that can be included in other programs to provide access to EWF images. The Sleuthkit can be compiled with `libewf` support, allowing TSK tools to be used directly on `.E01` images without first having to convert them to "raw" format. Finally, `pyewf` Python bindings are provided to allow anyone to create scripts using `libewf` functionality. {pagebreak} -For operating system artifacts, this same approach is found in other libraries like [libevtx](https://github.com/libyal/libevtx) for Windows event logs, [libregf](https://github.com/libyal/libregf) for Windows registry hives, [libscca](https://github.com/libyal/libscca) for Windows prefetch files, and _many_ others. These are all part of the [libyal](https://github.com/libyal) project. These are not the only application level artifact tools and libraries out there, but they can give an idea of what is available. +For operating system artifacts, this same approach is found in other libraries like [libevtx](https://github.com/libyal/libevtx) for Windows event logs, [libregf](https://github.com/libyal/libregf) for Windows registry hives, [libscca](https://github.com/libyal/libscca) for Windows prefetch files, and _many_ others. These are all part of the [libyal](https://github.com/libyal) project. These are not the only application-level artifact tools and libraries out there, but they can give an idea of what is available. -Tools on the Linux command line are, of course, not limited to computer storage media either. There are libraries and tools for mobile device analysis as well, such as [libimobiledevice](https://libimobiledevice.org/) for iOS devices. Application data from mobile devices are often stored in SQL database files. The built-in database programs included in many Linux distributions that can often extract desired data from chat apps, location-based artifacts, and more. +Tools on the Linux command line are, of course, not limited to computer storage media either. There are libraries and tools for mobile device analysis as well, such as [libimobiledevice](https://libimobiledevice.org/) for iOS devices. Application data from mobile devices are often stored in SQL database files. The built-in database programs are included in many Linux distributions that can often extract desired data from chat apps, location-based artifacts, and more. So what does all this look like in use? @@ -374,9 +374,9 @@ So what does all this look like in use? An important part of every digital forensic analysis is defining the goal or at least the scope of your examination. Focusing on a goal helps us identify the tools required and the methods we should use. When we provide forensic support to other investigators, the goal of the examination is typically defined by the support request. In other cases, the elements of the crime or known indicators (in the case of network compromise) provide the goals. -In this particular exercise, we will go back to our premise of cross verification. Covering every step in exact detail is outside the scope of this chapter. This is an illustration of what a simple cross verification of results might look like. +In this particular exercise, we will go back to our premise of cross verification. Covering every step in exact detail is outside the scope of this chapter. This is an illustration of what a simple cross-verification of results might look like. -Let us assume we have the output from a Windows Forensic suite that shows a particular user last login date of a Windows workstation at a given time. This was done through the examination of the Security Account Manager (SAM) registry file. The specific time the user logged in is imperative to the case and we want to cross verify the results. Our original output shows this: +Let us assume we have the output from a Windows Forensic suite that shows a particular user last login date of a Windows workstation at a given time. This was done through the examination of the Security Account Manager (SAM) registry file. The specific time the user logged in is imperative to the case and we want to cross-verify the results. Our original output shows this: > Username : johnnyFox [1000] > Full Name : @@ -411,7 +411,7 @@ sdb 7:0 0 500M 1 disk -- sdb1 259:4 0 499M 1 part ... ``` -Once we've identified the device, we can image it with `dd` or preferably a more forensic oriented version like `dc3dd`: +Once we've identified the device, we can image it with `dd` or preferably a more forensic-oriented version like `dc3dd`: {line-numbers:false} ```console @@ -469,7 +469,7 @@ Slot Start End Length Description 002: 000:000 0000002048 0001023999 0001021952 NTFS / exFAT (0x07) ``` -Using the `mmls` command from the Sleuthkit, we can see that there is only one NTFS file system, at a _sector offset_ of `2O48` (under `Start`). We will be using additional file system and file extraction tools from TSK, and the sector offset is an important value. We use it to tell TSK _which volume_ to access inside the image. Media storage partitioning can be quite complex, and with TSK we access each volume/file system separately. +Using the `mmls` command from the Sleuthkit, we can see that there is only one NTFS file system, at a _sector offset_ of `2O48` (under `Start`). We will be using the additional file system and file extraction tools from TSK, and the sector offset is an important value. We use it to tell TSK _which volume_ to access inside the image. Media storage partitioning can be quite complex, and with TSK we access each volume/file system separately. * * * @@ -532,14 +532,14 @@ There is quite a bit of information in the `fsstat` output. File system type, ve ### Sample Scenario: Identify the File(s) of Interest -In this particular scenario we are conducting a cross verification of findings from a file we already know - the SAM registry file. In a normal Windows installation, the SAM is located in `C:\Windows\system32\config`. We can use the Sleuthkit `fls` tool to recursively list all the allocated files in the volume of interest and specifically look, or _grep_, for `Windows/System32/config/SAM`: +In this particular scenario, we are conducting a cross-verification of findings from a file we already know - the SAM registry file. In a normal Windows installation, the SAM is located in `C:\Windows\system32\config`. We can use the Sleuthkit `fls` tool to recursively list all the allocated files in the volume of interest and specifically look, or _grep_, for `Windows/System32/config/SAM`: {line-numbers:false} ```console $ fls -Fr -o 2048 image.raw | grep -i system32/config/SAM r/r 178-128-2: Windows/System32/config/SAM ``` -This output gives us the NTFS file system's Master File Table, or MFT entry for the SAM file. In this case, the MFT entry is `178-128-2`. +This output gives us the NTFS file system's Master File Table or MFT entry for the SAM file. In this case, the MFT entry is `178-128-2`. * * * @@ -556,9 +556,9 @@ $ icat -o 2048 image.raw 178 > image.SAM $ file image.SAM image.SAM: MS Windows registry file, NT/2000 or above ``` -The `icat` command extracts the SAM file and writes it to the file called `image.SAM` (arbitrarily named). Once this is done, we use the Linux `file` command to make sure that the file type we've extracted matches what we expect. In this case we expected a Windows registry file, and that's exactly what we have. +The `icat` command extracts the SAM file and writes it to the file called `image.SAM` (arbitrarily named). Once this is done, we use the Linux `file` command to make sure that the file type we've extracted matches what we expect. In this case, we expected a Windows registry file, and that's exactly what we have. -At this point we can install `libregf`. This will allow us to gather some simple identifying information as well as _mount_ the registry file to allow us to parse it for the information we are seeking. The following commands are provided by the `libregf` package: +At this point, we can install `libregf`. This will allow us to gather some simple identifying information as well as _mount_ the registry file to allow us to parse it for the information we are seeking. The following commands are provided by the `libregf` package: {line-numbers:false} ```console @@ -583,7 +583,7 @@ Using commands provided by `libregf` we confirm the identity and version of the ### Sample Scenario: Parse the Artifact -Given the fact that we've already examined this file in our main forensic suite, and we are simply cross verifying our results here, we would probably know the account's _Relative ID_ (RID) - in this case the account's RID is `1000`. +Given the fact that we've already examined this file in our main forensic suite, and we are simply cross-verifying our results here, we would probably know the account's _Relative ID_ (RID) - in this case, the account's RID is `1000`. Now that we know the RID (from our previous examination - this is a cross verification), we can browse to the account's associated keys in the mounted registry file: @@ -640,7 +640,7 @@ $ python ~/WinTime.py 678e5df7f7c1d201 Sun Apr 30 21:23:09 2017 ``` -Here again is the original output from the analysis we are trying to verify (with some output removed for brevity): +Here again, is the original output from the analysis we are trying to verify (with some output removed for brevity): {line-numbers:false} ```console @@ -651,11 +651,11 @@ Last Login Date : **Sun Apr 30 21:23:09 2017 Z** So we can see that our original analysis, using a common digital forensics tool under Windows, has been cross verified with a completely separate set of tools under a different operating system. A far more detailed look at this level of analysis is covered in the aforementioned LinuxLEO guide. -Note that we included the acquisition here for completeness, but in a real cross verification situation, the image already acquired is fine to use - it has generally already been verified by hashing. +Note that we included the acquisition here for completeness, but in a real cross-verification situation, the image already acquired is fine to use - it has generally already been verified by hashing. -We've actually accomplished a bit more by verifying our results with Linux. In addition to proving the veracity of what our original tool found, we have focused on a "smoking gun" artifact and _manually_ extracted and parsed it ourselves. This entire manual process will go in your notes along with any research you needed to do in order to complete it (What registry file do I need? Where is the login data stored? What offset? What format?). Should you ever be called to testify or participate in any adjudication process, you will be better prepared to answer the oppositions questions on _how_ your original tool found what it reported. +We've actually accomplished a bit more by verifying our results with Linux. In addition to proving the veracity of what our original tool found, we have focused on a "smoking gun" artifact and _manually_ extracted and parsed it ourselves. This entire manual process will go in your notes along with any research you needed to do in order to complete it (What registry file do I need? Where is the login data stored? What offset? What format?). Should you ever be called to testify or participate in any adjudication process, you will be better prepared to answer the opposition's questions on _how_ your original tool found what it reported. -This same approach applies to results of a mobile device analysis. In many mobile device analysis suites, chats are displayed in a GUI tool and organized by conversation. Find something important to the investigation? Fire up a Linux command line and dig into the database yourself. In many cases you don't even need to leave your Windows forensic workstation desktop. You can use WSL/WSL2, or SSH into your physical Linux workstation or VM using [PuTTY](https://putty.org). +This same approach applies to the results of a mobile device analysis. In many mobile device analysis suites, chats are displayed in a GUI tool and organized by conversation. Find something important to the investigation? Fire up a Linux command line and dig into the database yourself. In many cases, you don't even need to leave your Windows forensic workstation desktop. You can use WSL/WSL2, or SSH into your physical Linux workstation or VM using [PuTTY](https://putty.org). * * *