Intro to Linux for Cyber Crime Investigators and Computer Forensic Examiners

1
Intro to Linux for Cyber Crime Investigators and
Computer Forensic Examiners
By Ernest Baca ebaca_at_linux-forensics.com www.linux
-forensics.com
2
History of Linux

• 1991 Computer hardware was pushing the limits
  beyond what anyone expected DOS was still
  reigning supreme in the world of personal
  computers. PC users had no other choice. Apple
  Macintosh prices were astronomical.
• The other dedicated camp of computing was the
  Unix world. Unix was far more expensive and out
  of reach from PC users. The source code of Unix,
  once taught in Universities courtesy of Bell
  Labs, was now cautiously guarded.
• A solution appeared on the horizon called MINIX.
  It was written from scratch by Andrew S.
  Tanenbaum, a Dutch professor who wanted to teach
  his students the inner workings of a real
  operating system. It was designed to run on the
  Intel 8086 microprocessor.

3
History Continued

• MINIX was not a superb operating system, but it
  had the advantage that the source code was
  available.
• In 1991, Linus Benedict Torvalds was a second
  year student of Computer Science at the
  University of Helsinki and a self taught hacker.
  Torvalds loved to tinker with the power of
  computers and the limits which the system could
  be pushed. All that was lacking was an operating
  system that could meet the demands of
  professionals. MINIX was good, but still it was
  an operating system for students, designed as a
  teaching tool.
• At the same time, programmers worldwide were
  greatly inspired by the GNU project by Richard
  Stallman, a software movement started in 1983 to
  provide free quality software. (GNU is a
  recursive acronym which actually stands for GNU
  is Not UNIX).

4
History Continued

• August 25, 1991 the historic post was sent to the
  MINIX newsgroup by Linus Torvalds.
• Linus did not believe at the time that Linux was
  going to be big enough to change computing
  forever.
• Linux version 0.01 was released by mid September
  1991 and was put on the Internet. Enthusiasm
  gathered and codes were downloaded, tweaked, and
  returned to Linus. Linux 0.02 came October 5th.
• That was the start of a new generation Operating
  system

5
Why Learn Linux for Cyber Crime Investigations?

• Linux is one of the fastest growing operating
  systems. Odds of a Cyber Crime Investigator
  encountering a Linux system is becoming greater.
• The Internet is made up of a majority of Linux
  systems. Learning the basic Linux system will
  help the investigator understand concepts in
  order to effectively investigate Cyber Crime.
• A majority hackers and hard core cyber-criminals
  dont use Windows based Systems. Learning the
  basic Linux concepts will help the Investigator
  effectively interview witnesses and suspects.
• Learning the Linux system will assist the
  Investigator in Crime Scene response if a Linux
  system is encountered.

6
Misconceptions about Linux

• Linux is to hard to learn!
• Linux is for the Ya Ya Brotherhood and Ya Ya
  Sisterhood of computer gurus!
• Linux is hard to install!
• If you know Linux youre a COMPUTER GOD!
• Linux is not a good teaching tool.
• Linux is only command line driven and therefore
  to difficult!
• You must know every Linux command to do anything
  useful with it.

7
Understanding Linux

• Linux Versions are referred to as Kernel Versions
• Linux Systems are referred to as Distributions.
• Distribution is a collection of software that
  runs on the Linux Kernel. Also referred to as a
  Distro.
• Different distributions run differently (ex file
  structure may be different)
• All distributions available for download.
• Source code is available for all distributions of
  Linux.

8
Linux Distributions

• Redhat Most popular amongst industry
• Debian Many distributions are based on this
  distribution
• Mandrake Very popular distribution
• Suse Most software rich distribution.
• Slackware Most popular amongst hackers. Very
  user unfriendly
• Gentoo Slowly replacing Slackware
• Many more!

9
Next Generation Data Forensics

• The Linux Solution

10
What is Data Forensics?

• Process
• Imaging data stored in electronic format
• Authentication of Image
• Analyzing the data
• Reporting results in a neutral manner

11
How does Linux fit in to Data Forensics?

• An out of the box Linux system already has the
  built in ability to image, authenticate, wipe,
  and search media!

12
Benefits of Linux as a Forensic Tool

• Everything, including hardware, is treated as a
  file
• Support for numerous file system types (many not
  recognized by windows)
• Ability to mount a file
• Ability to analyze a live system in a safe and
  minimally invasive manner (No hardware or
  software write blocker needed)
• Ability to redirect standard output to input
  (Multiple commands on one line)
• Ability to review source code for most utilities
• Ability to create bootable media
• Linux is free as well as the source code
• Tools are mostly Free or inexpensive (Bottom Line
  Cost efficient)

13
Questions of Death!

• Does your software make mistakes?
• How do I know your software does what it says it
  does?
• Can you validate what you did?

14
Linux Tools

• TASK Autopsy Tool used in data recovery and
  also used for data examination www.atstake.com
• Foremost Data carving tool.
  Foremost.sourceforge.net
  
• Corners Toolkit Used for data recovery
  
  www.porcupine.org/forensics/tct.html
• Maresware Linux tools for data forensics.
  www.dmares.com
• SMART Forensic Software GUI based forensic
  software used for data acquisition, validation,
  examination and reporting.
  www.asrdata.com
• Glimpse Data Indexing and search tool.
  
  www.glimpse.cs.arizona.edu

15
Linux Bootable Distributions

• Bootable Business Card Linux boot CD image
  suitable to burn onto business card CD.
  
  www.lnx-bbc.org
• PLAC Portable Linux Auditing CD
  
  sourceforge.net/projects/plac
• F.I.R.E Another bootable Linux CD.
  
  Fire.dmzs.com
• Knoppix GUI based Linux bootable CD.
  
  www.knoppix.de

16
Useful Linux Links

• http//Ohiohtcia.org/linuxintro-1.8.1.pdf -
  Introduction to Linux for Data Forensics.
• http//www.crazytrain.com Website devoted to
  Linux Data Forensics
• http//www.linux.org Good Linux resource for
  learning
• http//www.linux-directory.com Another good
  Linux resource
• http//www.linux-forensics.com My website
  devoted to the use of Linux as a data forensic
  tool. (Currently Under Construction)

17
DEMO TIME!!!