In order to acquire an image from a disk that cannot be removed from a Linux computer, one would have to go through the process of computer forensics. “The forensic acquisition of media refers to the process of making a bit-for-bit copy, or image file, of a piece of media. The image files created by forensic acquisition are frequently used in civil or criminal court proceedings, so great accuracy is required,” ( Kornblum, 2004). A Linux system is not able to see the last sectors on a hard disk if the number of sectors is odd. If that is the case, the BSD (Berkeley Software Distribution) variant should be used to image.
One requires an imaging system that would boot to a F.I.R.E (Berkeley Software Distribution) boot CD. Look for evidence whether the hard disk is running any operating system. The hard disk should now be imaged. To do this, one should get the F.I.R.E boot CD. Note that the disk does not mount partitions. The disk is designed for forensics and incident response. There are two alternatives to the F.I.R.E boot cd and they are Knoppix and Penguin Sleuth.
Now the imaging process can begin. One should be aware of the size and the total number of sectors of the hard disk. The image drive should then be wiped and formatted using the third extended (ext3) file system. The hard disk should be connected to the imaging system and the master/slave/cable select jumper should be correctly placed. The BIOS should also be set to boot from CD only.
Boot the system to F.I.R.E. The best mode to use is the console since in that mode there is less action on the system. A menu will be displayed and one should log in as root (password is “firefire”). The disc should not be mounted. You should then distinguish the hard disks in the system, that is, the evidence disc and the image disc. For hard discs where the serial number do not match in the different parts of output, you should not use “current sector capacity” or “host protected area feature set” as an indication of an HPA. One should look at “LBA user addressable sectors”. In such a case, one can use hdparm to adjust hard disk settings in order to achieve optimal performance. However caution should be taken when changing these settings.
Now imaging can start. One imaging option is dd which is the old standby and another is rda which is inbuilt in F.I.R.E and it is able to add remote acquisition capability. There is also dcfldd which is a variant of dd. It is the best option of the other imaging options. Dcfldd shows the progress while imaging and it is also included on the F.I.R.E CD. When you are through with imaging, shutdown the system, disconnect and store the retrieved data.
Now you have the image and all that is left is to ensure its integrity. The image will thus be analyzed. One uses Forensic Analysis System Red Hat for NASA integrity. The system should have Linux running on it. install NASA enhanced loopback drivers which allows one to mount a complete disk image as a loopback device instead of only one partition. They come in different kernels for i386, i686, p4 and athlon architectures. Then install the sleuth kit and autopsy. The kit makes up a computer browser. The sleuth kit is a collection of command line tools while autopsy id a web server that one connects to with any browser. Next you should install a disk carving utility called foremost. It extracts files from a data file by looking for known headers and footers.
The image can now be analyzed. First make it read only. After this hash complete the image and compare it to th hash drive and the hash result from dcfldd. Create backups to CDs. Do this by first compressing it and splitting it. hash the chunks and then burn the image chunks. The spit image should then be reconstructed.
After reconstruction, the image’s loopback should be mounted with NASA drivers. This can only be done when the system is at root. The partition table should then be listed and the mounting of the loopback device should be done so that it can run autopsy. When this is done, the image loopback should be unmounted. For autopsy to run, the file systems do not necessarily need to be mounted. Autopsy will allow one to browse through the active files on the command line or by using a graphical user interface file manager.
Virus checking is the next step. One can use f-prot or bitdefender. The check will ensure no transfer of viruses from the disk. Now you can run foremost. The foremost configurations should be copied from the install directory to the current directory. Then edit the file directory to get the image you are working on. It will thus create a new directory, serial_no. fm. If it does exist, it must be empty. Now foremost can be run and this can be done on the disk image or on the loopback device. It would also be possible to run it on a free space which is extracted by autopsy. Foremost will read through your image without interpreting the file system. Logical files, deleted files and those on the free space will be extracted. You should make sure that the files are contiguous in order for foremost to find it.
Sleuthkit or autopsy can now be run. It should be at root for this to happen. Next start the web browser and it should be at a non-root user state. Autopsy will display a web address which you should follow. For sleuthkit to work, the images should be of individual partitions. This ca n be achieved through splitting the partition image out if the disk image or by pointing autopsy to the loopback mounted file system. Chuck Willis (2003) has identified the initial steps of handling autopsy as:-
i. Create a case
ii. Create a host (a computer or hard disks and partitions)
iii. Adding the image with symlisk option to /dev/loopa1. You should take care when naming the mount point.
If you wanted to access the image, you would have to go to file analysis and it will let you browse through the file system. However you are only able to browse one partition at a time. If a file had been deleted, it will have a check on the left of the interface on the screen. Deleted files appear in two color shades, bright red and dark red. If the file has a bright red shade, the data blocks of the file are free, that is, they are not allocated to another file. On the other hand, if the shade is dark red, it is an indication that the data blocks have been allocated to a different file. You can browse again nd look for the right file. The process is now over and the image is now recovered.
References
Seglem, K. K. (2002). Introduction to Digital Evidence Reconstruction using UNIX Systems. In E. Casey (Ed.), Handbook of Computer Crime Investigation. Academic Press.
Jesse D. Kornblum, (2004), The Linux Kernel and the Forensic Acquisition of Hard Disks with an Odd Number of Sectors
Chuck Willis, (2003), Forensics with Linux 101, Black Hat USA
