Saturday 26 December 2009

Forensic Cop Journal 2(3): Standard Operating Procedure of Acquisition on Ubuntu

Introduction

When dealing with the evidence of storage media, a digital forensic analyst must be careful in the process of acquisition. Once he makes a mistake, then the next processes would be doubted, even it could be rejected by the court. As the process of acquisition is very important in digital forensic, it should be handled properly. To obtain the output of the acquisition process is reliable; this journal discusses how to perform it properly on Linux Ubuntu machine.

Usually and mostly the acquisition process is performed by using forensic applications such as FTK Imager from Access Data and EnCase from Guidance Software running under Ms Windows operating system. This journal gives different perspective to the digital forensic analyst how to do it on Ubuntu analysis workstation. The output resulted from Ubuntu machine is the same as the output yielded from the applications above. With this condition, the analyst has many ways to perform the acquisition.

One philosophy on digital forensic which is must be understood by the analyst is that never rely on the analysis of digital forensic on one application only. It means that the analyst should have as many forensic applications as possible to perform one forensic job. With the set of these applications, the analyst could have many choices to do it and select one or some of them which probably give the best results. To use these applications properly, the analyst should also understand well the procedure of digital forensic.

Step 1: Preparing machine to be forensically sound write protect

After the booting process finishes, open the command console or terminal; and then type the following command in order to be super user. With this condition, the super user has privilege to modify any file in the machine.

sudo –s


After that, type the command below

gedit /etc/fstab

This command is aimed to edit the file fstab stored in the folder /etc. Editing the file is performed with the purpose of configuring “write protect” condition. Opening this file is also done to ensure whether or not the configuration of “write protect” has been applied. With the condition of “write protect”, any storage media such as hard disk, flash disk and so on attached to the analysis machine through USB port is protected from any changes incidentally or deliberately. Any action applied to the evidence of storage media will not give impact to the content of media. It means that the contents remain unchanged during the process of acquisition.

If the file has not been configured yet for the purpose of “write protect”, the commands below are added in the file of /etc/fstab. It could be put at the end of the file contents.

# Read Only Configuration
/dev/sdb     /media/sdbro     auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0
/dev/sdb1   /media/sdb1ro   auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0
/dev/sdb2   /media/sdb2ro   auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0
/dev/sdb3   /media/sdb3ro   auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0
/dev/sdb4   /media/sdb4ro   auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0
/dev/sdb5   /media/sdb5ro   auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0


/media/sdbro is the mounting location of the evidence of storage media in which the evidence is usually marked as /dev/sdb, while /media/sdb1ro till /media/sdb5ro are the mounting location of each partition which is marked as /dev/sdb1 to /dev/sdb5. The reason why the number of partition is five is to anticipate the possibility of the storage media has five partitions. To prepare the mounting location as mentioned above, type the following commands.

mkdir /media/sdbro
mkdir /media/sdb1ro
mkdir /media/sdb2ro
mkdir /media/sdb3ro
mkdir /media/sdb4ro
mkdir /media/sdb5ro


After the configuration above has been added into the file /etc/fstab, the file is saved. The file has been ready for the purpose of forensically sound write protect. For further information, please access the forensic journal related to this topic at http://forensiccop.blogspot.com.

For further information on this journal, please access http://www.scribd.com/doc/24519235/Forensic-Cop-Journal-2-3-2009-Standard-Operating-Procedure-of-Acquisition-on-Ubuntu. on this link you will find the full version of this journal. I hope this journal could be useful for those who would like to experience digital forensic world in their life.

Saturday 19 December 2009

Forensic Cop Journal 2(2): Standard Operating Procedure of Audio Forensic

Introduction


There are many types of digital evidence which could be encountered by digital forensic analyst in dealing with computer crime or computer-related crime. Not only files, videos, digital images, encrypted items, unallocated clusters, slacks and so forth, but also digital audio files might be analysed. In certain cases, the audio files become significant evidence to show the involvement of the perpetrators in the criminal case. Usually it contains speech records between two or more people talking about a plan to commit a crime; therefore the analyst should be able to reveal this conversation to the criminal investigators. With this evidence, the investigators have strong reason to prove that the perpetrators have planned a crime.

To reveal the conversation contained in the audio files is not an easy job. The analyst should follow strict guidelines of audio forensic so that the output of analysis could be accepted by the court. Once the analyst does one step of analysis carelessly, the results of analysis might be rejected by the court. To reach the results of audio forensic analysis in the best output, this journal discusses Standard Operating Procedure (SOP) of Audio Forensic. With this SOP, it is expected that the analyst could have a good guidelines in guiding them to perform audio forensic analysis in step by step, so that the result of analysis is reliable.

The SOP of Audio Forensic comprises five steps, namely acquisition, authentication, audio enhancement, decoding and voice recognition. Below is the explanation of each step.

To obtain the complete explanation of each steps above, please access this link http://www.scribd.com/doc/24292835/Forensic-Cop-Journal-2-2-2009-Standard-Operating-Procedure-of-Audio-Forensic to download the pdf version. Hopefully this journal could help digital forensic analysts to perform audio forensic analysis properly.

Tuesday 1 December 2009

Forensic Cop Journal 2(1): Ubuntu Forensic

Background

Ubuntu Forensic is the use of Ubuntu for digital forensic purposes. As it provides a wide range of forensic tools as well as anti-forensic and cracking tools, so it is reliable to investigate a computer crime and analyse digital evidence on it. The significant difference on forensic applications between Ubuntu and Ms Windows is that Ubuntu applications are freeware, while the application running under Ms Windows are commercial. The results obtained between these applications are relatively the same. It means that digital forensic analyst should also be well understood on the use of Ubuntu forensic applications as well as Ms Windows’s applications. If they do it, so they will have many forensic tools which can be applied in the investigation/analysis. When a tool does not give satisfied results, they should be able to use other tools either under Ubuntu or Ms Windows to yield the best results.

This journal is written with aims to broaden forensic view among forensic professionals. It is expected that they can explore packages provided on Ubuntu for forensic purposes. They should know that not only Ms Windows forensic applications which can be used for digital forensic, but also many tools on Ubuntu which can do the same thing with the same results. In some extent, Ubuntu gives stronger results than Ms Windows’s applications. For instance, dcfldd can be used for forensic imaging with different purposes. It can be used to image some certain blocks as desired as well as the whole drive imaging. This feature is not provided by imaging applications running under Ms Windows. Other instance is image metadata analysis through exif. On Ubuntu, there are some tools which can be used to analyse the image exif such as exif, exiftool and metacam. There are also tools which can be used to manipulate the exif values such as exiv2 and libjpeg-progs. All these tools are freeware.

One essential reason why the author frequently uses Ubuntu for digital forensic purposes such as forensic imaging is forensically sound write protect. It is compulsory for every digital forensic analyst to apply it when dealing with the storage drive evidence. It is aimed not to change the contents of drive either incidentally or deliberately. Once the contents is changed, so the next actions of digital forensic become doubt or even refused by the court, unless digital forensic analyst can explain comprehensively why (i.e. the relevance) it is changed and what the implications of that action. It is usually performed on live analysis with strict procedures. On dead analysis (i.e. post mortem) the analyst is still required to keep the contents of hard drive not changed. To reach this purpose, Ubuntu can be modified in order to give forensically sound write protect. It is performed by modifying the file /etc/fstab with the mount option is read-only, so whatever is done on the drive evidence, it does not change the contents. When accessing a text file, so this action does change the MAC (i.e. Modified, Accessed and Created) time at all. It remains unchanged, although the file is accessed. It occurs because the modification of the file /etc/fstab gives forensically sound write protect for any actions committed by the analyst on the drive.

With this feature, the analyst can do many things such as live analysis on the drive in order to speed up the investigation. It is frequently done when dealing with many drives as the evidence. If the regular procedure of digital forensic is performed, so it will take a long time for forensic imaging on each drive. To shortcut the investigation is to apply forensically sound write protect and then to read and analyse the drives directly. The aim of this action is that the analyst can know which drive among the drives has strong relationship with the case. Once it is obtained, so the analyst can carry out further analysis on it.

Below are the tools which can be used for the purposes of digital forensic analyses, anti-forensic and cracking. The number of tools for forensic purposes is twenty-five, while fifteen tools for anti-forensic and ten tools for cracking. Actually there are some tools having description related on these purposes, but it is not mentioned on this journal. One of powerful tools which is often used by the author is Autopsy. It is GUI version of The Sleuthkit created by Brian Carrier. What commercial applications running under Ms Windows such as Encase and FTK discover when analysing digital evidence is the same as what Autopsy finds.

The description of each tool below is directly quoted from Synaptic Package Manager created by Connectiva S/A and Michael Vogt on April 2009. This application provides an ease for Ubuntu users to install or uninstall Ubuntu packages. If they are still doubt on the use of certain package, they should read the description given on each package.

The full version of this journal can be downloaded at http://www.scribd.com/doc/23406648/Forensic-Cop-Journal-2-1-2009-Ubuntu-Forensic. I hope this journal could be useful in positive meaning for anybody who would like to explore Ubuntu for digital forensic purposes.