CS 482 - Computer Forensics

Lab 1: Evidence Acquisition / Linux System

Due Date: September 14th, 2008, 23:59 EDT
Deliverables: Report in PDF format
This lab is worth 10% of your final grade.

This lab is designed so that you get familiar with a Linux system and also learn some basics about the forensic acquisition process. We are getting ahead in material that has not yet been discussed in class, but most of the work you need to do for this lab is researching various things. The effort you put into this lab should pay off in Lab 3, so make sure you understand what is going on and how to accomplish your tasks.

You are given a suspended virtual machine of a computing system on the VM server. Your VM name is <username>-lab1. You should treat this machine as if it were a real, physical computer in front of you (as much as you can; also, to be safe, make a snapshot of the VM before you do anything else). The computer for this lab is running a version of the Linux operating system. See the Infosec lab instructions for details on how to access your VMs.

Task 1

Explore this Linux system and describe its capabilities and organization. Make sure you address the following points:

• What kind of Linux system is this?
• What users and groups exist on the system? What can they do? Are any of them logged on?
• What processes are running on the system? Who started them?
• What kind of software is installed on the system?
• What services are running on the system? Describe them briefly.
• What system and user logs are recorded? What information is stored?
• How is the file system organized?
  • Where do you find system binaries?
  • Where do you find configuration files?
  • Where are the users' files?
• How is access control performed on this system?
  • Who can read/write/execute what (keep it general, e.g. "Binaries that all users may executed are located in the X directory. Binaries only needed for system administration can be found in directory Y." etc.)
  • Are there any areas on the system where users can share data?

Task 2

Research the capabilities of the Helix Incident Response & Computer Forensics Live CD. For a Linux system, what can a forensic examiner do with the CD? The Helix for Beginners document (PDF, 15MB) is an excellent starting point if you are not familiar with Helix or other forensics toolkits.

Task 3

A current Helix .iso file is available for you to use with the Lab 1 VM in the VM server's data store under the "SANstorage->ISO" path. Attach the Helix .iso file as the CD-drive for your VM. Read the section about Linux static binaries in the Helix for Beginners document. What do you need to do to access/execute the static binaries contained on the CD instead of using the binaries of the Lab 1 Linux system? Do they work on this system? Why would a forensic examiner prefer to use the static binaries from the CD over the ones present on the system? Let's assume the CD binaries do not work. What would you have to do to prepare your own CD with proper binaries for the particular system at hand? (Describe this process in detail, but you need not actually do it.)

Task 4

Power down the Lab 1 VM and then boot the system using the Helix CD. Read the section in the Helix for Beginners document about "Imaging to a Netcat/Cryptcat Listener" and then image the entire Lab 1 system hard drive to your forensic workstation using netcat (nc). The netcat tool may have different functionality on different systems, so make sure you use it correctly (read the man page for it -- man nc). Verify that you transferred the data correctly by computing the SHA256 cryptographic checksum for both the original and the forensic copy. Document all your steps in the report. Also describe how you would capture information from a running system in a similar manner (both hard disk and more volatile information).

Report Document

Submit your report documenting all four tasks and answering the questions therein in a single PDF document. Name your PDF document "<your last name>-lab1.pdf"and submit the file for your lab submission in Blackboard.