Forensics Distro fo...
 
Notifications
Clear all

Forensics Distro for on-site ZFS analysis/Triage

7 Posts
4 Users
0 Likes
1,132 Views
 R3D2
(@r3d2)
Posts: 2
New Member
Topic starter
 

I've faced a big issue recently, a NAS system (Freenas) with a very large array of disks (ZFS pools) was apprehended and for time-cost reasons we decided to use a Forensics Distro to analyze/triage/collect data… only to have every distro we got fail on us on recognizing the ZFS pools.

Later on we tried zfs for linux and searched for a freebsd forensics distro without much success. Have you got any experience on dealing with this? (without imaging/mirroring all of the disks)

 
Posted : 08/11/2017 3:11 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Have you got any experience on dealing with this? (without imaging/mirroring all of the disks)

I am working in the Digital Forensic business and using FreeBSD for nearly twenty years…but i never had a case like the one you mentioned. So my knowledge is 100% theory….

If i were you
- take the normal FreeBSD 11 iso file and boot it in a PC from CD/ DVD
- use the live mode only. The FreeBSD project states they do not modify anything and the underlying OS is not touched- from my experience, this is true. Nothing is modified unlesse you manually mount and write anything
- attach the NAS via SATA/ USB 3 or IEEE 1394 and put a physical writeblocker between
- mount the NAS with the mount command in r/o mode
- even if you cant use a writeblocker for any reason, FreeBSD does not touch a single bit if mounted r/o only
- to gain best performance, i would install FreeBSD to a physical machine and prepare this machine with common forensic tools to carve for the wanted files (Sleuthkit for example)
- md5 and sha1/ sha256 are builtin tools. Hash files before carving and after that to be confident nothing was tempered

good luck!

Robin

 
Posted : 08/11/2017 9:48 am
(@mansiu)
Posts: 83
Trusted Member
 

- attach the NAS via SATA/ USB 3 or IEEE 1394 and put a physical writeblocker between

I am kinda curious how to connect a NAS to a physical writeblocker then to the workstation.

 
Posted : 08/11/2017 10:25 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

- attach the NAS via SATA/ USB 3 or IEEE 1394 and put a physical writeblocker between

I am kinda curious how to connect a NAS to a physical writeblocker then to the workstation.

If you have a look at the backside of the device, you usually find the above mentioned ports and not only a RJ45 jack. I assume there is a physical access to the device and not only a IP connection.

 
Posted : 08/11/2017 10:28 am
(@mansiu)
Posts: 83
Trusted Member
 

i thought those ports should be host port, i am not sure if they can be configured as device port.

 
Posted : 08/11/2017 11:28 am
(@athulin)
Posts: 1156
Noble Member
 

I've faced a big issue recently, a NAS system (Freenas) with a very large array of disks (ZFS pools) was apprehended and for time-cost reasons we decided to use a Forensics Distro to analyze/triage/collect data… only to have every distro we got fail on us on recognizing the ZFS pools.

I'd guess some kind of release issue, in which case it is important to know what ZFS releases you have been trying. Might also be local configuration issue, but I'm not an ZFS expert.

Might be as easy as locating a distro with the same ZFS release … although if it was you would probably have identified it. But identifying the release seems likely to be important.

I'd start asking the experts … i.e. ZFS experts. Try the FreeNSD community forum
You should have error logs from your attempts to pass on to them – you did save boot logs?

Meanwhile I'd try to identify a boot disk, and possible ZFS configuration data on it. That might allow you to boot basic system, reconfigure ZFS to readonly, and reboot.

If I can't find one, I might settle for 'boot system normally, reconfigure relevant zfs volumes readonly, and proceed from there'. But not without having verified that readonly does what I want it do … in that exact ZFS release that you have, so if you can't identify a boot disk, or ZFS release in some header, count on doing two boots one just to identify ZFS and other things, the next once you've made a plan based on that information.

 
Posted : 08/11/2017 4:21 pm
 R3D2
(@r3d2)
Posts: 2
New Member
Topic starter
 

@athulin @Bunnysniper it seems that ZFS is a bit unexplored, I'm really bummed that I can't go "full lab mode" on this (right now) but I'm very thankful for your insight. We took some notes and will work on being better prepared next time.

@athulin sorry, no saved logs on our attempts with live distros (we didn't use the original boot system again after it was apprehended). I also believe it's probably a ZFS release issue.

 
Posted : 19/11/2017 9:19 pm
Share: