Tuesday 1 December 2009

Forensic Cop Journal 2(1): Ubuntu Forensic

Background

Ubuntu Forensic is the use of Ubuntu for digital forensic purposes. As it provides a wide range of forensic tools as well as anti-forensic and cracking tools, so it is reliable to investigate a computer crime and analyse digital evidence on it. The significant difference on forensic applications between Ubuntu and Ms Windows is that Ubuntu applications are freeware, while the application running under Ms Windows are commercial. The results obtained between these applications are relatively the same. It means that digital forensic analyst should also be well understood on the use of Ubuntu forensic applications as well as Ms Windows’s applications. If they do it, so they will have many forensic tools which can be applied in the investigation/analysis. When a tool does not give satisfied results, they should be able to use other tools either under Ubuntu or Ms Windows to yield the best results.

This journal is written with aims to broaden forensic view among forensic professionals. It is expected that they can explore packages provided on Ubuntu for forensic purposes. They should know that not only Ms Windows forensic applications which can be used for digital forensic, but also many tools on Ubuntu which can do the same thing with the same results. In some extent, Ubuntu gives stronger results than Ms Windows’s applications. For instance, dcfldd can be used for forensic imaging with different purposes. It can be used to image some certain blocks as desired as well as the whole drive imaging. This feature is not provided by imaging applications running under Ms Windows. Other instance is image metadata analysis through exif. On Ubuntu, there are some tools which can be used to analyse the image exif such as exif, exiftool and metacam. There are also tools which can be used to manipulate the exif values such as exiv2 and libjpeg-progs. All these tools are freeware.

One essential reason why the author frequently uses Ubuntu for digital forensic purposes such as forensic imaging is forensically sound write protect. It is compulsory for every digital forensic analyst to apply it when dealing with the storage drive evidence. It is aimed not to change the contents of drive either incidentally or deliberately. Once the contents is changed, so the next actions of digital forensic become doubt or even refused by the court, unless digital forensic analyst can explain comprehensively why (i.e. the relevance) it is changed and what the implications of that action. It is usually performed on live analysis with strict procedures. On dead analysis (i.e. post mortem) the analyst is still required to keep the contents of hard drive not changed. To reach this purpose, Ubuntu can be modified in order to give forensically sound write protect. It is performed by modifying the file /etc/fstab with the mount option is read-only, so whatever is done on the drive evidence, it does not change the contents. When accessing a text file, so this action does change the MAC (i.e. Modified, Accessed and Created) time at all. It remains unchanged, although the file is accessed. It occurs because the modification of the file /etc/fstab gives forensically sound write protect for any actions committed by the analyst on the drive.

With this feature, the analyst can do many things such as live analysis on the drive in order to speed up the investigation. It is frequently done when dealing with many drives as the evidence. If the regular procedure of digital forensic is performed, so it will take a long time for forensic imaging on each drive. To shortcut the investigation is to apply forensically sound write protect and then to read and analyse the drives directly. The aim of this action is that the analyst can know which drive among the drives has strong relationship with the case. Once it is obtained, so the analyst can carry out further analysis on it.

Below are the tools which can be used for the purposes of digital forensic analyses, anti-forensic and cracking. The number of tools for forensic purposes is twenty-five, while fifteen tools for anti-forensic and ten tools for cracking. Actually there are some tools having description related on these purposes, but it is not mentioned on this journal. One of powerful tools which is often used by the author is Autopsy. It is GUI version of The Sleuthkit created by Brian Carrier. What commercial applications running under Ms Windows such as Encase and FTK discover when analysing digital evidence is the same as what Autopsy finds.

The description of each tool below is directly quoted from Synaptic Package Manager created by Connectiva S/A and Michael Vogt on April 2009. This application provides an ease for Ubuntu users to install or uninstall Ubuntu packages. If they are still doubt on the use of certain package, they should read the description given on each package.

The full version of this journal can be downloaded at http://www.scribd.com/doc/23406648/Forensic-Cop-Journal-2-1-2009-Ubuntu-Forensic. I hope this journal could be useful in positive meaning for anybody who would like to explore Ubuntu for digital forensic purposes.

3 comments:

  1. I'm surprised that no one has pointed out to you the difference between Freeware and Open source as you've referred to ubuntu's software as freeware. Freeware being free but closed source so one can not scrutenize the function of the program to check its accuracy or method. This is vital to sluthkit's forensic viability because it claims to investigate in a non corruptive way. This is the only way it holds up in court.

    ReplyDelete
  2. I just discovered your blog. I'm very much interested in starting a computer forensics career. Thanks for the info.

    jegre e n 3 (at) y ahoo (dot) co m

    ReplyDelete
  3. Hay que poner la página web en ESPAÑOL

    ReplyDelete