±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36317
New Yesterday: 0 Visitors: 184

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Making Linux Forensically Sound

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

minime2k9
Senior Member
 

Making Linux Forensically Sound

Post Posted: Jul 09, 18 10:25

So there is a lot of information on how to create your own Linux distribution and a lot of 'forensic' Linux distributions, however I have been unable to find much information on how they actually achieve this, definitely no enough to create your own forensic distribution.
With the exception of a kernel patch or two I can't really find much on the techniques used and what they are actually doing.
Has anyone got any sources of information on this area?  
 
  

jaclaz
Senior Member
 

Re: Making Linux Forensically Sound

Post Posted: Jul 09, 18 10:47

- minime2k9
So there is a lot of information on how to create your own Linux distribution and a lot of 'forensic' Linux distributions, however I have been unable to find much information on how they actually achieve this, definitely no enough to create your own forensic distribution.
With the exception of a kernel patch or two I can't really find much on the techniques used and what they are actually doing.
Has anyone got any sources of information on this area?


With all due respect Smile (and not to put you down in any way) are you really sure that there is a need for (yet another) Linux Forensic distro?

Or would it be easier/better to take an existing, already maintained one such as (examples) Caine:
www.caine-live.net/
or Deft:
www.deftlinux.net/

and verify/validate them (possibly giving feedback to the maintainers in case of issues)?

AFAICT both the examples above just work, the only thing that may (or may not) be needed is the patch by thefuf:
www.forensicfocus.com/...c/t=16195/

More or less (and AFAIK) all of these have simply boot-time automount disabled and easy provisions to mount read only the disks/filesystems, besides a number of useful programs pre-configured.

If you want to start from (almost) scratch, maybe you can start from the mentioned very minimal OSforensics distro (intended to only create mages) and build upon it:
www.osforensics.com/to...mages.html

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

minime2k9
Senior Member
 

Re: Making Linux Forensically Sound

Post Posted: Jul 09, 18 12:31

Jaclaz,

I would love to, except we have the following issues:
We need to install the distribution on a machine
and have write persistence (so cant put ISO on disk and boot)
and work on an m2 SSD.
So Deft hasn't been updated in so many years it is on kernel 3.x rather than 4 so doesn't support M2 or thunderbolt.
CAINE allows you to use M2 and install (i think) but if you install on a m2 there is no way to un-writeblock your system drive and keep persistence.
Having email DEFT several times (my preferred distribution), they still haven't released DEFT X which was supposed to be out in November/maybe earlier.
Much as I realize that it is a total pain and possibly un-necessary, at least we will be able to update as and when features come out - the system is only really used for imaging.  
 
  

jaclaz
Senior Member
 

Re: Making Linux Forensically Sound

Post Posted: Jul 09, 18 13:04

- minime2k9

CAINE allows you to use M2 and install (i think) but if you install on a m2 there is no way to un-writeblock your system drive and keep persistence.


You sure? (there must be *some* ways).

I have just checked and the "persistent" installation instructions via Systemback seem to refer to the old version 6.0, but maybe the same is possible on newer versions using if not the same a similar approach? Question

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

minime2k9
Senior Member
 

Re: Making Linux Forensically Sound

Post Posted: Jul 09, 18 13:12

Unless I'm missing something. There is a utility to un-block devices, however it won't 'see' the M2 SSD.
I might be able to replicate the command line equivalent and pass the correct block device.  
 
  

thefuf
Senior Member
 

Re: Making Linux Forensically Sound

Post Posted: Jul 09, 18 13:35

- minime2k9
We need to install the distribution on a machine
and have write persistence (so cant put ISO on disk and boot)


There is no one-size-fits-all solution to achieve this. In general, you need to do the following:
1. Patch a kernel to include the software write blocking. Otherwise, you won't be able to mount a file system read-only (the -o ro argument for the mount command doesn't disable writes completely, the blockdev --setro <device> and hdparm -r1 <device> commands don't work as expected without such a patch).
2. Put a set of userspace scripts and an udev rule to mark all block devices as read-only when they are attached.
3. Disable anything that will automount a file system on a suspect drive (typically, this is managed by code in an initramfs, and/or in init scripts, and/or in an udev rule, and/or in a configuration tool for your desktop environment; all of these locations must be checked).
4. Disable anything that will autoactivate LVM volumes on a suspect drive (typically, this is managed by an udev rule and/or in an initramfs).
5. Disable anything that will autoactivate software RAID volumes on a suspect drive (typically, this is managed by an udev rule and/or in an initramfs).
6. Disable anything that will autoactivate swap partitions on a suspect drive (typically, this is managed by code in an initramfs, and/or in init scripts, and/or in an udev rule).
7. Ensure that booting your system with a suspect drive attached will never run untrusted code from that drive (check the value of the "root=" boot option to see if it contains a non-unique value like a file system label, it should contain an UUID of your root file system).  
 
  

thefuf
Senior Member
 

Re: Making Linux Forensically Sound

Post Posted: Jul 09, 18 13:37

- minime2k9
a lot of 'forensic' Linux distributions


There are data modification and code execution issues with many of them: Kali, CAINE, PALADIN, etc.  
 

Page 1 of 2
Page 1, 2  Next