How to detect when OCFA is done processing

As emailed to be by Jochen:

I think it is possible to detect completion of the process, even if it is not that simple, due to the distributed nature of OCFA. To detect completion, you have to look at three to four places in OCFA:

First, in the database the location field of the metadatainfo table contains the phrase ‘[being processed]’ for all items being processed. SELECT count() FROM metadatainfo WHERE location = ‘[being processed]’; should return zero on completion.

Second, in the case a non-zero returns from previous query, you also have to check the persistent queues for messages pending. If the only messages pending are messages staying in the “never”-queue, the washing process is finished except for the evidence handled by the crashed modules. Further inspection of that evidence is necessary.

Third, in the case a non-zero returns from the query, but all persistent message queues are empty, it could be that a background process is filling the working directory before further processing can take place. This could be checked by inspecting the overall size of the separate working directories: “du -ms /var/ocfa//work/default/


A last step could be the inspection of “top -u ocfa” to check for module activity.

I hope this will help,

With kind regards,
Jochen

1 min read

REAPER SVN Access

Instructions for using SVN to get the newest version of the REAPER Project:

These instructions are for SVN from a Linux command line, and specifically Debian.

The REAPER forensics project hosted at SourceForge is split in to 5 projects. Do not download the the entire SVN tree unless you want the development version of everything included.

To download the entire SVN:

svn co https://reaperforensics.svn.sourceforge.net/svnroot/reaperforensics reaperforensics

To download a particular project from the SVN:

svn co https://reaperforensics.svn.sourceforge.net/svnroot/reaperforensics/%project_name% %project_name%


Where %project_name% is the particular one you want:
<ul><li>REAPERlive</li><li>REAPERliveDesktop</li><li>REAPERlivePreview</li><li>REAPERview</li><li>Scripts</li></ul>Explanation of command:
<ul><li>svn - the program to access the svn repository</li><li>co - “checkout” project</li><li>https://reaperforensics.svn.sourceforge.net/svnroot/reaperforensics - the address of the project (this is the trunk of the project)</li><li>reaperforensics - this is the local directory to download the project to</li></ul>

~1 min read

REAPER Preview Setup and Configuration

(Command line instructions)
6 Nov. 2010

REAPERlive Preview:
Extracting a working directory
Once you have downloaded the REAPERlivePreview build package
http://sourceforge.net/projects/reaperforensics/files/

Newest release at this time:
http://sourceforge.net/projects/reaperforensics/files/REAPERlivePreview/REAPERPreview_alpha-2_lh_config.tar.gz/download

Extract the package
tar –xvfz REAPERPreview_alpha-2_lh_config.tar.gz

Navigate to the working directory
cd REAPERlivePreview

Type ls
The directory should contain the “makeREAPERlivePreview.sh” script and three directories. This is your working directory.

Configuring the image type
makeREAPERlivePreview.sh is the build configuration script. You can customize REAPER with any software or architecture supported by Debian live, but the most important setting is at like 39 and 40. Here you can set what type of image you want to create, iso or img (cd or hard drive). Simply put a # in front of the type you do not want, and remove the # from the type you do want.
nano makeREAPERlivePreview.sh
use the arrow key to scroll down to line 39/40 where
#MEDIA=”usb-hdd”
MEDIA=”iso”
usb-hdd produces a .img file, and iso produces a .iso file. Put the # in front of the file type you do not want, and make sure to remove the # from the file type you do want.
hit ctrl+o and enter to save
hit ctrl+x to exit

Building the REAPER image
If there is already a folder named iso or usb-hdd (previous build) delete it
rm –r usb-hdd

After configuring makeREAPERlivePreview.sh you can build by typing: ./makeREAPERlivePreview.sh

Note: you must have a working internet connection

After the script is finished, you wil have a new directory in the working directory titled either “usb-hdd” or “iso” depending on the type of image you specified.
Use cd usb-hdd to change to that directory.
Another folder for the architecture type will be found (usually i386).
cd i386

Now do ls and you will see binary.img or binary.iso (depending on what you specified).

If it is a .img file you can burn it to a usb stick or hard drive using dd. If it is a iso you must use cd burning software.

dd example – make sure you know what you are doing or you might erase your hard drive using dd!!

To image a usb stick:
First type fdisk –l
Note which drive is your usb stick, for example I have /dev/hda and /dev/sda
/dev/sda is my usb stick based on the size and partition tables listed
Unmount any mounted partitions
umount /dev/sda


dd the image file to the stick – this will erase everything on the stick!!
dd if=binary.img of=/dev/sda

*Note: The created image file is a disk image, not a partition. Do not specify a pre-made partition like /dev/sda1 – it must be the full disk /dev/sda

How to set up previewing profiles
From the working directory, change to user/REAPER/www/profiles
cd user/REAPER/www/profiles

Two profiles are already created, autorun and general.
autorun always runs automatically
general is the template for profiles that can be selected

Copy the general template to our new profile ‘exploitation’
cp –a general exploitation

Move to the new directory
cd exploitation

Type ls and you will see 3 files.
Filetypes: the types of files in a particular category (movie, music, etc.) based on file extension.
General.profile: The current profile settings
keywords: keywords to search for, each on a new line

hashdb: an hfind compatable hash database (md5) can be added with the name hashdb

First rename the General.profile to Exploitation.profile. This is where the profile name gets detected.
mv General.profile Exploitation.profile

From the Exploitation.profile you can change the order or remove entries you are now interested in (the Music section, for example). In this example we will accept the defaults.

For exploitation we are interested in pictures and movies, so we will edit the file types.
nano filetypes

File types must be separated by a
so two entries would look like: .xls$ .xlsx$
Capitalization does not matter, but the variations do, jpg and jpeg for example.
Make the modifications as you see fit.

hit ctrl+o and enter to save
hit ctrl+x to exit

Now edit the keywords file
nano keywords

add a list of keywords that (semi-generically) correspond to the type of case you are investigating

hit ctrl+o and enter to save
hit ctrl+x to exit

You can also add a hfind md5 hash database, and it must be named hashdb

That is it. Now you can build a new live cd, and this profile will be automatically detected.
3 min read

REAPERlive Preview POC Released

REAPERlive Preview has been released as a proof of concept. The ISO is available for download at sorceforge. Currently only images are displayed, but lists of documents, movies, and music are presented for a quick view. In our tests the entire preview process takes approximately 3 - 5 minutes to scan drives of 80 to 150Gb, after which a preview of pictures, movies, documents and music is available. Thumbnails of images are created in the background while manual previewing can take place.

Automatic imaging is also included in the USB version. The .img file has not been singleed yet, but you can download the newest source from the sourceforge svn and build the image using the included makeREAPERlivePreview.sh script (must be run from a Debian machine with live-helper installed).

More updates and documentation coming soon. Please email me with questions, comments and especially test results.

Download Preview ISO here.

~1 min read

Read-Only Loopback to Physical Disk

I have been testing file carving to try to preview the contents of a drive before imaging. File carving takes a long, long time. A faster solution (I think) is to mount the drive and search. Now for forensics mounting a drive is a big no no, but sometimes it is just needed. Especially if you want a 15 minute preview instead of a 2 day ‘preview’.

I work a lot with Debian Live, so the commands and how they work will pertain to Debian. Test everything (and tell me results)! Don’t take my word for it.

For mounting a drive under Linux you have the standard ‘mount’ command. When mounting you can specify the -o ro option, which theoretically puts you in a safe read-only state… or does it? Does it always work? Does it stop everything?

Another option that I recently found was the ‘blockdev’ command. You can specify that the blockdev is ro even before mounting.
<blockquote>blockdev –report
blockdev –setro /dev/device</blockquote>
But my professor brought up the point - these probably depend on the driver used. Maybe a driver for ntfs totally ignores the ro switch? I don’t totally agree that blockdev would be based on the driver, but how do you test whether the drive actually is in ro without writing? What if it fails?

Then the saving grace - loopback devices. Mount the partition as a file. You don’t need to worry about drivers, support, etc.
To do this use losetup to create a loopback device:
<blockquote>losetup -r /dev/loop1 /dev/hda1</blockquote>This creates a read-only loopback device pointing to /dev/hda1
Then you can mount the loopback device (read-only if you are paranoid)
<blockquote>mount -o ro /dev/loop1 /media/test</blockquote>This mounts the loopback device loop1 at /media/test. You can then traverse the directory of /dev/hda1 just like it was mounted.

1 min read