Saturday, October 25, 2014

Linux Machine Preparation

The purpose of this post is to provide a basic (though incomplete) guide to preparing a Debian based machine to perform very basic forensic analysis of other computers and electronic devices.  It is quite possible that this will be modified multiple times over the duration of this blog.

First things first, you will need a computer or virtual machine running 64 bit Debian, Ubuntu, or some variant.  If you are a linux wizard then you probably can skip this post (minus the list of tools) and user your preferred distribution.  If you can't get your hands on a 64 bit machine you may find that some of the tools I am listing are incompatible and will not install.  If you are running a VM make sure that the guest additions are installed before installing the other tools.

I normally run Ubuntu 14.04 because it's repository is usually more up to date.  For this example, I wanted to build a forensic machine with the Debian based Crunchbang distribution seen below.  This distribution is quick and lightweight, leaving me more resources for data crunching.

So now lets talk about what we need to actually do some forensic analysis.  Below I've compiled a list of tools I am currently using in linux in the order of installation.  These will be covered in more detail following the list.

There are many other tools that could be added to this list and I'd love to hear any recommendations in the comments section.

This rest of this post will be discussing the installation of these tools.  If this list continues to grow a series of pages dedicated to machine setup can be made.  As a rule of thumb I prefer to download and compile the latest version of software that is available.  Sometimes this won't be possible and the best option will be to use the distributions repository.

Lets start with libewf.  The libewf package allows you to work with multiple forensic file types including the EnCase File Format.  Further information can be found here.  We'll install this first because xmount depends on it and The Sleuth Kit recommends it.

This package is fairly simple to install and a detailed list of instructions for installing this tool on just about any platform can be found here.  The installation process I used in Crunchbang can be seen below:

$sudo apt-get install build-essential debhelper fakeroot autotools-dev zlib1g-dev bzip2 libssl-dev libfuse-dev python-dev
$tar xfv libewf-20140608.tar.gz
$cd libewf-20140608/
$cp -rf dpkg debian
$dpkg-buildpackage -rfakeroot
$cd ..
$sudo dpkg -i libewf_20140608-1_amd64.deb libewf-tools_20140608-1_amd64.deb

Next I installed Xmount.  This tool allows us to work with different data formats including EnCase File Format, DD (raw), and multiple virtual disk types.  More information on this can be found here.  Below is the installation process I used to install Xmount:

$sudo dpkg -i xmount_0.7.2_amd64.deb

Next lets get one of our primary tools installed.  The Sleuth Kit has been covered some already in this blog and will continue to be one our primary tools.  The installation for this on Crunchbang required some work.  I tried compiling this tool from source but encountered some java issues.  I reached out to the Crunchbang forums for some assistance with my issue and was promptly pointed towards "backports".   I knew I was going to need to add Debian's backports repo to my system so I modified the /etc/apt/sources.list file by using the command $sudo nano /etc/apt/sources.list.  Once the editor opened I added the following line to the end of the file:

## Debian Backports
deb wheezy-backports main contrib non-free

So that my completed sources.list looks like this:

## Compatible with Debian Wheezy, but use at your own risk.
deb waldorf main
deb-src waldorf main

deb wheezy main contrib non-free
#deb-src wheezy main contrib non-free

deb wheezy/updates main
#deb-src wheezy/updates main

## Debian Backports
deb wheezy-backports main contrib non-free

Next I downloaded the latest Debian backports package.

$ sudo apt-get update
$ sudo apt-get update
$ wget

And then finished the installation as follows:

$ sudo dpkg -i sleuthkit_4.1.3-3~bpo70+1_amd64.deb
$ sudo apt-get -f install

The apt-get -f install resolved the remaining dependencies for the sleuthkit install.

To install this on Ubuntu I've been pointed towards the repo setup below, which adds many tools that may be helpful:

$ sudo add-apt-repository ppa:kristinn-l/plaso-dev
$ sudo apt-get update
$ sudo apt-get install python-plaso

You will notice quite a few tools but primarily this will give you an up to date functioning sleuthkit installation without all the compiling.

Next I installed Testdisk with PhotoRec for data carving (more infor here):

$ wget
$ tar -vxjf testdisk-7.0-WIP.linux26-x86_64.tar.bz2

Easy enough.

Then it was XnViewMP for viewing the images and videos (more info here):

$ wget
$ sudo dpkg -i XnViewMP-linux-x64.deb

and KeepNote fore reporting:

$ wget
$ sudo dpkg -i keepnote_0.7.8-1_all.deb
$ sudo apt-get -f install

GThumb is another tool for viewing images.  The latest version was located in the default repository:

$ sudo apt-get install gthumb

Finally, I installed Guymager.  This tool is a forensic imaging tool with a GUI.  The version in the repository will be sufficient:

$ sudo apt-get install guymager

That's it.  Hopefully this helps anyone wondering how to get the basics going.  I recommend learning one tool at a time.

NOTES:  ppa:kristinn-l/plaso-dev

No comments:

Post a Comment