Read-Only Loopback to Physical Disk

I have been testing file carving to try to preview the contents of a drive before imaging. File carving takes a long, long time. A faster solution (I think) is to mount the drive and search. Now for forensics mounting a drive is a big no no, but sometimes it is just needed. Especially if you want a 15 minute preview instead of a 2 day ‘preview’.

I work a lot with Debian Live, so the commands and how they work will pertain to Debian. Test everything (and tell me results)! Don’t take my word for it.

For mounting a drive under Linux you have the standard ‘mount’ command. When mounting you can specify the -o ro option, which theoretically puts you in a safe read-only state… or does it? Does it always work? Does it stop everything?

Another option that I recently found was the ‘blockdev’ command. You can specify that the blockdev is ro even before mounting.
<blockquote>blockdev –report
blockdev –setro /dev/device</blockquote>
But my professor brought up the point - these probably depend on the driver used. Maybe a driver for ntfs totally ignores the ro switch? I don’t totally agree that blockdev would be based on the driver, but how do you test whether the drive actually is in ro without writing? What if it fails?

Then the saving grace - loopback devices. Mount the partition as a file. You don’t need to worry about drivers, support, etc.
To do this use losetup to create a loopback device:
<blockquote>losetup -r /dev/loop1 /dev/hda1</blockquote>This creates a read-only loopback device pointing to /dev/hda1
Then you can mount the loopback device (read-only if you are paranoid)
<blockquote>mount -o ro /dev/loop1 /media/test</blockquote>This mounts the loopback device loop1 at /media/test. You can then traverse the directory of /dev/hda1 just like it was mounted.

1 min read

REAPER Preview

Throughout the time I have been developing REAPER, many people in more developed countries have expressed a need for a type of forensic preview ability. Maybe they do not need to take an image of every machine. Fair enough, says I.

Because of this, I have been developing REAPER Preview. It is a live CD based off of Debian Live that automatically generates a preview of the data on the system. Currently I have gallery view of various photo, movie, document, and music formats. The preview is fairly superficial with speed in mind.

Also since REAPER is focused on acquisition the ability to automatically image the local suspect drives is still there.

For this version OCFA has been replaced by the PTK front-end to TSK. It is meant to be a very light collect-and-go with some analysis capability.

As always the goal of REAPER is to be as quick and easy as possible. While Preview is not 100% automatic yet, it is by far the easiest way to preview and image a suspect’s machine to an external hard drive.

I will be singleing everything I have for this version to the svn either tomorrow or this weekend. Feel free to email me if you would like more information.

1 min read

DFRWS 2009 - Montreal

Our group in the Centre for Cybercrime Investigation gave a presentation at the Digital Forensic Workshop 2009. The submitted paper can be found here. Also another paper from Damir Kahvedzic, also from CCI, was accepted. Bam.

Currently it is day 2 of the conference, and just before the “Forensic Rodeo”. I don’t really know what to expect. The presentations and keynotes so far have been quality. They have given me lots of ideas to apply to my own research, so I guess thats the point, eh?

I think some of the concepts that have been talked about can be applied (in some shape or form) to the REAPER project, but overall the focus of the community (represented via DFRWS) seems to be on distributed forensic systems, and more intelligent ways to represent data. Some automation was talked about, but not really as much as I expected. There was also a tool closed source tool that is similar to OCFA, but I cant find the project page right now. More on that later.

~1 min read

OCFA patch level 1 released - new modules!

The ocfa team is proud to announce the first patch-level release of OCFA Version 2.2.0. This patch level was necessary to fix some bugs, including:

- rulelist issues
- 64 BIT size_t issue in OcfaModules
- configuration scripts
- nasty PPQ bug
- better error reporting user interface

Also the first steps forward to use the new mmls treemodules are made. This should open the door to a carvpath enabled version of OCFA.

New modules added:

- Thumbs.db dissector (vinetto)
- index.dat extractor (pasco)
- multipart rar (rar)
- Disk partitions (mmls)

~1 min read

Something’s missing…

The other day I was looking around, and found It is a site dedicated to finding missing and exploited children in the US. They also have a sister site ICMEC that offers the same service for international missing children. I began looking into things like the amber alert system that anyone living in the US is probably very familiar with. Since I am now in Europe I wanted to know what the equivalent service is, and assumed there would be an EU-wide database. As of yet I have only been able to find Interpol’s missing children register. Amber alert apparently has an 80% success rate.

[Update] In 2010 Ireland started talking about working on an Amber Alert system. I assume, though, this was swept under the rug with the economic troubles.

~1 min read

PostgreSql Problems on Debian

In Debian 5 when installing PostgreSQL - if /var/singlegresql/8.3/main is not created, and the conf files are not available - use the following command:

pg_createcluster 8.3 main
/etc/init.d/singlegres-8.3 start

~1 min read