REAPER Preview POC Mentioned
The REAPER Preview Proof of Concept was mentioned on nukeitdotorg!
Also an updated version of REAPERlive that can be imaged directly to any USB hard drive (without using the Debian Live build scripts) will be released soon. More details in the coming days.
Thanks again nukeit.org!
How to detect when OCFA is done processing
As emailed to be by Jochen:
I think it is possible to detect completion of the process, even if it is not that simple, due to the distributed nature of OCFA. To detect completion, you have to look at three to four places in OCFA:
First, in the database the location field of the metadatainfo table contains the phrase ‘[being processed]’ for all items being processed. SELECT count() FROM metadatainfo WHERE location = ‘[being processed]’; should return zero on completion.
Second, in the case a non-zero returns from previous query, you also have to check the persistent queues for messages pending. If the only messages pending are messages staying in the “never”-queue, the washing process is finished except for the evidence handled by the crashed modules. Further inspection of that evidence is necessary.
Third, in the case a non-zero returns from the query, but all persistent message queues are empty, it could be that a background process is filling the working directory before further processing can take place. This could be checked by inspecting the overall size of the separate working directories: “du -ms /var/ocfa//work/default/“
A last step could be the inspection of “top -u ocfa” to check for module activity.
I hope this will help,
With kind regards,
Jochen
REAPER SVN Access
Instructions for using SVN to get the newest version of the REAPER Project:
These instructions are for SVN from a Linux command line, and specifically Debian.
The REAPER forensics project hosted at SourceForge is split in to 5 projects. Do not download the the entire SVN tree unless you want the development version of everything included.
To download the entire SVN:svn co https://reaperforensics.svn.sourceforge.net/svnroot/reaperforensics reaperforensics
To download a particular project from the SVN:svn co https://reaperforensics.svn.sourceforge.net/svnroot/reaperforensics/%project_name% %project_name%
Where %project_name% is the particular one you want:
<ul><li>REAPERlive</li><li>REAPERliveDesktop</li><li>REAPERlivePreview</li><li>REAPERview</li><li>Scripts</li></ul>Explanation of command:
<ul><li>svn - the program to access the svn repository</li><li>co - “checkout” project</li><li>https://reaperforensics.svn.sourceforge.net/svnroot/reaperforensics - the address of the project (this is the trunk of the project)</li><li>reaperforensics - this is the local directory to download the project to</li></ul>
REAPER Preview Setup and Configuration
| (Command line instructions) 6 Nov. 2010 REAPERlive Preview: Extracting a working directory Once you have downloaded the REAPERlivePreview build package http://sourceforge.net/projects/reaperforensics/files/ Newest release at this time: http://sourceforge.net/projects/reaperforensics/files/REAPERlivePreview/REAPERPreview_alpha-2_lh_config.tar.gz/download Extract the package tar –xvfz REAPERPreview_alpha-2_lh_config.tar.gz Navigate to the working directory cd REAPERlivePreview Type ls The directory should contain the “makeREAPERlivePreview.sh” script and three directories. This is your working directory. Configuring the image type makeREAPERlivePreview.sh is the build configuration script. You can customize REAPER with any software or architecture supported by Debian live, but the most important setting is at like 39 and 40. Here you can set what type of image you want to create, iso or img (cd or hard drive). Simply put a # in front of the type you do not want, and remove the # from the type you do want. nano makeREAPERlivePreview.sh use the arrow key to scroll down to line 39/40 where #MEDIA=”usb-hdd” MEDIA=”iso” usb-hdd produces a .img file, and iso produces a .iso file. Put the # in front of the file type you do not want, and make sure to remove the # from the file type you do want. hit ctrl+o and enter to save hit ctrl+x to exit Building the REAPER image If there is already a folder named iso or usb-hdd (previous build) delete it rm –r usb-hdd After configuring makeREAPERlivePreview.sh you can build by typing: ./makeREAPERlivePreview.sh Note: you must have a working internet connection After the script is finished, you wil have a new directory in the working directory titled either “usb-hdd” or “iso” depending on the type of image you specified. Use cd usb-hdd to change to that directory. Another folder for the architecture type will be found (usually i386). cd i386 Now do ls and you will see binary.img or binary.iso (depending on what you specified). If it is a .img file you can burn it to a usb stick or hard drive using dd. If it is a iso you must use cd burning software. dd example – make sure you know what you are doing or you might erase your hard drive using dd!! To image a usb stick: First type fdisk –l Note which drive is your usb stick, for example I have /dev/hda and /dev/sda /dev/sda is my usb stick based on the size and partition tables listed Unmount any mounted partitions umount /dev/sda dd the image file to the stick – this will erase everything on the stick!! dd if=binary.img of=/dev/sda *Note: The created image file is a disk image, not a partition. Do not specify a pre-made partition like /dev/sda1 – it must be the full disk /dev/sda How to set up previewing profiles From the working directory, change to user/REAPER/www/profiles cd user/REAPER/www/profiles Two profiles are already created, autorun and general. autorun always runs automatically general is the template for profiles that can be selected Copy the general template to our new profile ‘exploitation’ cp –a general exploitation Move to the new directory cd exploitation Type ls and you will see 3 files. Filetypes: the types of files in a particular category (movie, music, etc.) based on file extension. General.profile: The current profile settings keywords: keywords to search for, each on a new line hashdb: an hfind compatable hash database (md5) can be added with the name hashdb First rename the General.profile to Exploitation.profile. This is where the profile name gets detected. mv General.profile Exploitation.profile From the Exploitation.profile you can change the order or remove entries you are now interested in (the Music section, for example). In this example we will accept the defaults. For exploitation we are interested in pictures and movies, so we will edit the file types. nano filetypes File types must be separated by a |
so two entries would look like: .xls$ | .xlsx$ Capitalization does not matter, but the variations do, jpg and jpeg for example. Make the modifications as you see fit. hit ctrl+o and enter to save hit ctrl+x to exit Now edit the keywords file nano keywords add a list of keywords that (semi-generically) correspond to the type of case you are investigating hit ctrl+o and enter to save hit ctrl+x to exit You can also add a hfind md5 hash database, and it must be named hashdb That is it. Now you can build a new live cd, and this profile will be automatically detected. |
REAPERlive Preview POC Released
REAPERlive Preview has been released as a proof of concept. The ISO is available for download at sorceforge. Currently only images are displayed, but lists of documents, movies, and music are presented for a quick view. In our tests the entire preview process takes approximately 3 - 5 minutes to scan drives of 80 to 150Gb, after which a preview of pictures, movies, documents and music is available. Thumbnails of images are created in the background while manual previewing can take place.
Automatic imaging is also included in the USB version. The .img file has not been singleed yet, but you can download the newest source from the sourceforge svn and build the image using the included makeREAPERlivePreview.sh script (must be run from a Debian machine with live-helper installed).
More updates and documentation coming soon. Please email me with questions, comments and especially test results.
Download Preview ISO here.
Read-Only Loopback to Physical Disk
I have been testing file carving to try to preview the contents of a drive before imaging. File carving takes a long, long time. A faster solution (I think) is to mount the drive and search. Now for forensics mounting a drive is a big no no, but sometimes it is just needed. Especially if you want a 15 minute preview instead of a 2 day ‘preview’.
I work a lot with Debian Live, so the commands and how they work will pertain to Debian. Test everything (and tell me results)! Don’t take my word for it.
For mounting a drive under Linux you have the standard ‘mount’ command. When mounting you can specify the -o ro option, which theoretically puts you in a safe read-only state… or does it? Does it always work? Does it stop everything?
Another option that I recently found was the ‘blockdev’ command. You can specify that the blockdev is ro even before mounting.
<blockquote>blockdev –report
blockdev –setro /dev/device</blockquote>
But my professor brought up the point - these probably depend on the driver used. Maybe a driver for ntfs totally ignores the ro switch? I don’t totally agree that blockdev would be based on the driver, but how do you test whether the drive actually is in ro without writing? What if it fails?
Then the saving grace - loopback devices. Mount the partition as a file. You don’t need to worry about drivers, support, etc.
To do this use losetup to create a loopback device:
<blockquote>losetup -r /dev/loop1 /dev/hda1</blockquote>This creates a read-only loopback device pointing to /dev/hda1
Then you can mount the loopback device (read-only if you are paranoid)
<blockquote>mount -o ro /dev/loop1 /media/test</blockquote>This mounts the loopback device loop1 at /media/test. You can then traverse the directory of /dev/hda1 just like it was mounted.