Networking 978-0123742681 Chapter 18 Quiz

Unlock access to all the studying documents.

View Full Document

Chapter 18

Digital Evidence on UNIX Systems

On completion of this chapter, the student will:

– Recognize that most UNIX systems information is available for review.

– Be aware that the openness of UNIX systems presents both opportunities and

challenges to digital investigation.

– Recognize that many native UNIX tools are useful to the digital examiner.

– Recognize that there are numerous open source UNIX-based forensics tools available.

– Be aware that currently there are no tools available that can analyze the ext3

journaling system.

– Be aware that UNIX does not have a file slack.

– Be aware that some automated forensic tools can process some portions of UNIX file

systems.

Chapter Guide

Various permutations of UNIX (Solaris, AIX, HP-UX) have been around for over 30 years. It is

an extremely stable, powerful multi-user environment with built-in support for networking.

Because some of the variants have been made available under Open Source agreements (Linux,

OpenBSD, FreeBSD), startup implementation costs have been minimized. In addition, a great

deal of software have also been released under Open Source agreement, providing a wide range

UNIX Evidence Acquisition Boot Disk

A fundamental capability of the UNIX file system is to mount storage devices as Read-Only.

However, there is still a possibility that it could make changes on an evidentiary device, so a

hardware write-blocker can be used. (Recall that this capability is NOT supported in the standard

DOS/Windows environments.) Since this capability is inherent in the UNIX environment,

making an Evidence Acquisition boot disk is the straightforward process of making some media

such as a bootable CD-ROM bootable in a UNIX variant and including the software tools needed

File Systems

UNIX supports several file systems such as UFS (UNIX File System), ext2 and ext3 (Extended

File System 2 and 3), and Reiser. They all have similar structures for managing the file system.

Each UNIX partition is divided into ). Each block group

contains, among other things, an inode (index node) table. An inode table consists of entries

representing either directories or files. A directory inode entry contains the names of those files

and directories associated with it, and their respective inode numbers. A file inode entry

rmation except its name (i.e., owner/group ID, permissions, file type,

date-time stamps, reference count, file size in bytes, data block numbers). The file block numbers

Overview of Digital Evidence Processing Tools

Linux has a number of features that make it an ideal choice for forensic examinations:

– A great many utilities useful for conducting forensic examinations come with the standard

distribution (dd, md5sum, grep).

–

single command may move data through several tools and into a final text file.

Data Recovery

UNIX file systems, unlike DOS/Windows, do not have slack space. The data area either

contains data or is unallocated. Deleted data is treated as unallocated space. UNIX attempts to

UNIX-based Tools

There are several methods available for recovering deleted files:

Windows-based Tools

In the Windows arena, there are a few forensic examination software tools that can recover

deleted UNIX files.

File Carving with UNIX

Software tools that can be used for recovering file data directly from data blocks include:

– Lazarus uses a similar, though more thorough,

method for carving out file data.

Dealing with Password Protection and Encryption

Although it is possible to connect PC ssentially arrays of parallel

processing units, strong encryption would still require months, years, decades, or even longer to

be broken. The forensic examiner seldom has the luxury of that much time.

Log Files

Virtually every system event, including log-on and log-off, is logged somewhere in one or more

system logs, depending on how the system is configured. Log analysis tools are available to

File System Traces

Data remnants can be found in the data area or in swap space. Print spoolers and other

applications create recoverable temporary files. As stated earlier, the deleted plaintext version of

Internet Traces

UNIX is first and foremost a networking environment and there are many applications for

connecting to the Internet. Although most of these applications do not create logs, they leave

behind many recoverable traces.

Web Browsing

E-mail

Network Traces

The network-based nature of UNIX requires that forensic examiners always look for evidence of

network connections. Many networked applications retain activity logs and configuration files.

Summary

As there are a great many UNIX-based systems fielded, it is extremely likely that a forensic

examiner will encounter such systems on a frequent basis. Therefore, a thorough understanding

Multiple Choice Questions

1. Unlike the standard DOS/Windows environments, the UNIX environment has the capability

of _______________, thereby preventing the contents of evidentiary media from being

changed.

2. What is the most efficient method for a forensic examiner to confirm whether a particular

tool or methodology works in a forensically acceptable manner?

3. The inode table can be found in the ________.

4. In a block group, file data is located in _________.

5. _______, which is part of the standard Linux distribution, can be used to make a bitstream

copy of evidentiary media to either image files or sterile media.

6. MAC times, which are found in the ___________, are an example of file system traces.

7. Why is it important to determine the level of network connectivity on a UNIX system as soon

as possible?

8. Kit are examples of open source _________.

9. In UNIX, when a file is moved within a volume, the inode change date-time (ctime) is:

10. Deleting a file has the effect of preserving its inode until it is reused because:

11. When a file is deleted on a UNIX System, the ctime of its parent directory is:

12. One of the most common web browsers on UNIX systems is:

13. FireFox 3 stores potentially notable information in:

14. On UNIX systems that receive e-mail, incoming messages are held in _________, in separate

files for each user account until a user accesses them.

15. The file system mount table shows local and remote file systems that are automatically

mounted when the system is booted. This information is stored in:

True or False Questions

1. One of the most useful areas to search for notable data on a Linux system is in file slack.

2. One of the difficulties in examining UNIX systems is that the file system is extremely

3. grep is a standard Linux tool that searches a specified file or region for a specified string.

4. of one command into another is a serious

limitation and is detrimental to using the UNIX platform for forensic examinations.

5. Most data-carving tools operate on the assumption that the operating system generally

tries to save data in contiguous sectors.

6. Given a sufficiently powerful computer, ev

short time.

7. As UNIX was never designed to work on networks, there are very few native utilities

designed to access the Internet.

8. UNIX log files (or those of any operating system, for that matter) can provide a great deal

of useful information to the examiner.

9. On UNIX systems, e-mails and all attachments are stored as plaintext in

10. When examining a UNIX system, searching for network traces is not usually necessary.

11. When requesting a search warrant, remotely connected systems cannot be considered part

of the target system, so it may be necessary to obtain proper authorization before

examining them.

12. A list of currently mounted drives, including those not listed in the file system mount

13. When a target system is connected to other systems in remote locations, it is expedient

for the digital investigator to access these systems via remote access.

14.

inode bitmaps.

15. The mainstay of acquiring digital evid

Discussion Questions

For each of the following questions, develop discussion notes and be prepared to discuss your

findings.

1. hould have a high degree of competence in all

operating systems and their respective file syst

2. Which is the more effective forensic examiner, one who can operate forensic tools in a

variety of operating environments (operating system, file system, etc.) and conducts

Scenario