Building a Forensics Workstation

Abstract

The objectives of this chapter are to:

Appendices

Appendix A Installing software in Linux

You will need to become root (or superuser) to install software.

There are many ways to install software in Linux, and it can be accomplished either graphically or using the command line. There are two popular ways of installing software in Linux, installing software from source code and installing software with Apt [14], a Linux package manager for Debian and Debain-based Linux distributions like Ubuntu and Kali Linux.

Note that there exist many Linux distributions, and the way of how to install software is slightly different for each distribution. Kali Linux is based on Debian Linux, which uses Apt.

1. (a)

   Using the “apt-get” commands to manage packages in Linux

   apt-get :

   Apt-get performs installations, package searches, updates and many other operations to software packages available to your Debian and Debain-based Linux systems.

   For example, to install a package, use:

   % apt-get install [package_name]

   To remove a package, use:

   % apt-get remove [package_name]

2. (b)

   Compiling and installing software from source in Linux

The installation procedure for a software that comes in tar.gz (or tgz) and tar.bz2 packages isn’t always the same, but usually it’s like the following, assuming that the name of the package containing the source code of the program is archive:

# tar -zxvf archive.tar.gz (or tar -zxvf archive.tgz) or tar -xvjf archive.tar.bz2:

Decompress the files contained in the zipped and tarred archive called archive

# cd archive:

Change directory to software package

# ./configure:

Execute the script preparing the installed files for compiling, including Makefile

# make:

GNU make utility to maintain groups of programs

# make install:

Install the software

Appendix B dcfldd Cheat Sheet

dcfldd is “an enhanced version of GNU dd with features useful for forensics and security”, for example, creating a forensic image of an entire disk. The basic syntax of the command is:

• dcfldd if= input file bs=512 skip=0 count=1 of= output file

This command will read data from the source (drive or file) and write that to an output file (or drive). It will then read one block from the beginning of the input file. The block size for transferring has been set to 512 bytes.

Where:

1. 1.

   If indicates input file. Example input files include:

LINUX

File name:

The input file

/dev/stdin:

“standard input” (stdin) device, i.e., keyboard

/dev/hda:

(First IDE Physical Drive)

/dev/hda2:

(Second Logical Partition)

/dev/sda:

(First SCSI Physical Drive)

WINDOWS

File name:

The input file

\\.\PhysicalDrive0:

(First Physical Drive)

\\.\D::

(Logical Drive D:)

\\.\PhysicalMemory:

(Physical Memory)

1. 2.

   Of indicates output file. Example output files include

imagefile.img:

(Bit Image File)

/dev/usb:

(USB Drive)

/dev/hdb:

(2nd IDE Drive)

1. 3.

   Useful Options

bs=block size:

(Sets the block size)

count=N:

(Copy only N blocks of input file)

skip=N:

(Skip ahead N blocks FILE. By default, skip=0, which means it reads input file from beginning.)

conv=noerror,sync:

(Do not skip on errors)

hashwindow=num:

(Hash every num bytes)

hashwindow=0:

(Hash entire file)

hashlog=filename:

(Write md5 hash to file)

1. 4.

   Usages and Examples

   1. (a)

      Create a disk image

      Example: dcfldd if=/dev/sdb of=/datatraveller.img

      This command will create a disk image of external USB drive, and write the image to an output file called datatraveller.img.

   2. (b)

      Wipe out hard drives and flash drives, for example, with all zero

      Example: dcfldd if=/dev/zero of=/dev/sdb

      This command will fill external USB drive with zeros.

   3. (c)

      Extract a random portion of a data file

      Example: dcfldd if=thumbimage_fat.dd bs=512 skip=0 count=1 of=mbr.dd

      Assume that thumbimage_fat.dd is an image of MBR disk. This command will extract the MBR of the disk.