Saturday, 26 December 2009

Forensic Cop Journal 2(3): Standard Operating Procedure of Acquisition on Ubuntu

Introduction

When dealing with the evidence of storage media, a digital forensic analyst must be careful in the process of acquisition. Once he makes a mistake, then the next processes would be doubted, even it could be rejected by the court. As the process of acquisition is very important in digital forensic, it should be handled properly. To obtain the output of the acquisition process is reliable; this journal discusses how to perform it properly on Linux Ubuntu machine.

Usually and mostly the acquisition process is performed by using forensic applications such as FTK Imager from Access Data and EnCase from Guidance Software running under Ms Windows operating system. This journal gives different perspective to the digital forensic analyst how to do it on Ubuntu analysis workstation. The output resulted from Ubuntu machine is the same as the output yielded from the applications above. With this condition, the analyst has many ways to perform the acquisition.

One philosophy on digital forensic which is must be understood by the analyst is that never rely on the analysis of digital forensic on one application only. It means that the analyst should have as many forensic applications as possible to perform one forensic job. With the set of these applications, the analyst could have many choices to do it and select one or some of them which probably give the best results. To use these applications properly, the analyst should also understand well the procedure of digital forensic.

Step 1: Preparing machine to be forensically sound write protect

After the booting process finishes, open the command console or terminal; and then type the following command in order to be super user. With this condition, the super user has privilege to modify any file in the machine.

sudo –s


After that, type the command below

gedit /etc/fstab

This command is aimed to edit the file fstab stored in the folder /etc. Editing the file is performed with the purpose of configuring “write protect” condition. Opening this file is also done to ensure whether or not the configuration of “write protect” has been applied. With the condition of “write protect”, any storage media such as hard disk, flash disk and so on attached to the analysis machine through USB port is protected from any changes incidentally or deliberately. Any action applied to the evidence of storage media will not give impact to the content of media. It means that the contents remain unchanged during the process of acquisition.

If the file has not been configured yet for the purpose of “write protect”, the commands below are added in the file of /etc/fstab. It could be put at the end of the file contents.

# Read Only Configuration
/dev/sdb     /media/sdbro     auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0
/dev/sdb1   /media/sdb1ro   auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0
/dev/sdb2   /media/sdb2ro   auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0
/dev/sdb3   /media/sdb3ro   auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0
/dev/sdb4   /media/sdb4ro   auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0
/dev/sdb5   /media/sdb5ro   auto   noauto,user,ro,nosuid,nodev,uhelper=hal   0   0


/media/sdbro is the mounting location of the evidence of storage media in which the evidence is usually marked as /dev/sdb, while /media/sdb1ro till /media/sdb5ro are the mounting location of each partition which is marked as /dev/sdb1 to /dev/sdb5. The reason why the number of partition is five is to anticipate the possibility of the storage media has five partitions. To prepare the mounting location as mentioned above, type the following commands.

mkdir /media/sdbro
mkdir /media/sdb1ro
mkdir /media/sdb2ro
mkdir /media/sdb3ro
mkdir /media/sdb4ro
mkdir /media/sdb5ro


After the configuration above has been added into the file /etc/fstab, the file is saved. The file has been ready for the purpose of forensically sound write protect. For further information, please access the forensic journal related to this topic at http://forensiccop.blogspot.com.

For further information on this journal, please access http://www.scribd.com/doc/24519235/Forensic-Cop-Journal-2-3-2009-Standard-Operating-Procedure-of-Acquisition-on-Ubuntu. on this link you will find the full version of this journal. I hope this journal could be useful for those who would like to experience digital forensic world in their life.

1 comment: