In "Building and Using an Incident Response Toolkit, Part 1," April 2004, InstantDoc ID 41900, and "Building and Using an Incident Response Toolkit, Part 2," May 2004, InstantDoc ID 42173, I discuss how to quickly and appropriately respond to a computer security incident. In this two-part article, I delve into the field of computer forensics and show you how to conduct an in-depth analysis of the compromised machine. The preparation for this analysis involves creating a bootable CD-ROM and duplicating the compromised machine's hard disk. You can then use several utilities to analyze the contents of that duplicate disk. Before I begin, however, let's quickly cover three basic forensic-analysis principles:
- You must avoid changing any data on the corrupt machine. To preserve the data, you need to perform a forensic duplication of the compromised hard disk, verify that the duplicate disk is exactly the same as the original, then perform all the analyses on the duplicate disk. Most forensic tools are designed to work on duplicate disks to avoid changing any pertinent information (e.g., access times) on the compromised computer.
- You shouldn't trust any programs or data on the compromised computer because the attack might have compromised them. By performing the forensic duplication, then using forensic tools on the duplicate disk, you avoid the use of potentially compromised programs and data.
- You need to document the forensic duplication and analysis. One good documentation method is to create digital hashes of the compromised hard disk and the forensic image. If the hashes match, you've mathematically proven that the data hasn't been altered. You should also document the programs you run and their output. If you anticipate that the computer security case will go to court, you might consider having two parties document the forensic duplication and analysis.
Keeping these three principles in mind, let's look at how to create a bootable CD-ROM and how to make a copy of the compromised disk. Note that although these tasks involve running a few Linux commands, you don't need any prior knowledge of Linux to use the methods I describe.
Creating the CD-ROM
The first task in a forensic analysis is to obtain the tools you'll need to duplicate the compromised disk and analyze the duplicate disk's contents. The forensic software that I use is the Penguin Sleuth Kit, an open-source version of the Knoppix distribution that's been modified specifically for forensic use. Knoppix is a Linux distribution that's designed to run from a CD-ROM drive without any installation. The software boots from the CD-ROM and loads the entire OS into memory. Thus, any computer with a CD-ROM drive can instantly function as a Linux-based forensic workstation. Whereas the standard Knoppix distribution writes to the disk to provide a swap partition, Penguin Sleuth Kit creator Ernest Baca has tweaked the Knoppix distribution so that the Penguin Sleuth Kit doesn't write any information to the compromised hard disk.
Other third-party tools are also available for performing forensic duplication and analysis, such as Guidance Software's EnCase and New Technologies Incorporated's (NTI's) SafeBack. However, I won't cover those tools here because, for the price of a CD-ROM, you can duplicate the third-party tools' functionality with comparable or better performance.
The Penguin Sleuth Kit contains all the standard Linux utilities, plus dozens of forensic tools, including the extremely useful Sleuth Kit (formerly known as The @stake Sleuth Kit—TASK) and Autopsy tools. In addition, you can use the Penguin Sleuth Kit to make a copy of the compromised disk or even browse that disk without disturbing any evidence.
You can download the Penguin Sleuth Kit from Linux-Forensics.com. Go to http://www.linux-forensics.com/downloads.html and click one of the Download Penguin Sleuth Mirror links. You need to burn the bootable International Organization for Standardization (ISO)-based image to a CD-ROM. That way, you simply place the bootable CD-ROM in any computer's CD-ROM drive and the Penguin Sleuth Kit is ready to use.
Besides creating the bootable CD-ROM, you must prepare the medium on which you want to copy the compromised disk. The medium needs as much space as the hard disk has because the Penguin Sleuth Kit copies even empty sections of the disk. Therefore, if you have a 10GB disk with 2GB free, you need at least 10GB, not 8GB, on which to store the image. You can use an external hard disk that's connected through a USB 2.0 or FireWire (IEEE 1394) port or an internal hard disk. If you choose to use an internal hard disk, you need to install it in the corrupt computer without displacing the CD-ROM drive or the compromised hard disk. Don't forget to note the internal hard disk's logical location (e.g., the slave on the second IDE bus).