h1

Carve and Sift: My Primer to Linux Computer Forensics

01/05/2013
The Deft Linux Desktop

The Deft Linux Desktop

Actually, the title is a bit of a misnomer. I’d already learned a bit about computer forensics and the process of recovering files on Windows operating systems some years ago. I had pulled a lot of lost data from a machine that had unexpectedly quit working, saving a lot of customer data for a person who, for the sake of their employment, shall remain anonymous.

However, the method I went about it could hardly be called “forensics” as I had to install some software to a USB and I still had to boot into the OS. I did a lot of writing to the disk (a forensics no-no) and not much was really preserved intact, but I did manage to save what needed to be saved. It really didn’t feel like I had done anything that would be useful to, say, a crime lab.

Deft Linux

cyClone_Menu

The cyClone menu system is pretty clear and can produce either raw or compressed image files with SHA1 or MD5 hashes.

A few weeks ago I was asked if I could perform such a task on a newer Windows 7 laptop, one with a terabyte hard drive, resurrecting some home videos and photos that had been deleted. I jumped at the chance for three reasons: First, these files were of special importance to this person, as one of the family members had died recently and had failed to back them up. Secondly, this gave me a chance to try out the new Deft Linux package on a computer that I could actively see if it was successful. Lastly, the data was relatively nonvolatile. If I accidently wiped it, then no one was getting fired.

I downloaded and burned Deft Linux 7 onto a DVD and got to work. Deft is a Live Disc, meaning that the OS loads from the DVD rather than a hard disk, and is largely based on Ubuntu. The Deft Distro itself is an amalgamation of both Linux and Windows software (through WinE) put together by some people in Italy. It has an English version, and is just about as all-inclusive as you can get with the Linux tools. It also is set up not to mount any drives until you tell it to, and even then you can specify to mount as read-only or full access.

After looking through the impressive and useful manual on their website, I concluded that the pieces of software that I was going to use for the job were cyClone, Foremost and Scalpel. Luckily, there is a GUI front-end for the latter and a menu-driven command-line interface for the former. This was just about as simple as it could get.

Carving

After you carve, you'll want to sift through the image file to see what you can find and/or "resurrect".

After the carve you’ll have a dd image file (raw) and a log telling you how long it took and if it passed the SHA1/MD5 verification check.

The first step in getting the data off of a drive is to Carve it. That is to say, you “carve” out the piece of the drive you want to look at and put it somewhere else, some place that ideally has more space or maybe more computing power. In my case, I didn’t have the time, nor interest, in installing the software on my Linux boxes, so I just carved and set it aside.

Also, I wasn’t particularly interested in the entire drive, as they only really used the first 200GB of the 750GB that had been allotted them on the main C: drive. It would have been too time consuming and not revealed much to look at the last ~550GB of it. So, I carved only the first 200GB and placed it on one of the SATA drives that I had made in a previous project. If you want to get really fancy, you can run the command-line dcfldd which is the US Department of Computer Defence Forensics Lab’s enhanced version of the dd command.

Hunchback_GUI

After you carve, you’ll want to sift through the image file to see what you can find and/or “resurrect”.

Remember before when I said that Deft didn’t mount the drive and you could select to mount as Read Only or Full Access? The reason for this is that data is written to the disk when they are mounted in Full Access mode which is default for almost every OS out there. If we’re police investigators trying to get clues about what’s on a computer, we certainly don’t want to taint the crime scene by scribbling all over it. Mounting a partition in read-only mode prevents the us or the OS from accidently doing just that.

Sifting

Sifting is mostly hit-and-miss, with the emphasis on the miss. It also takes quite a long while, depending on the size of the image.

Sifting is mostly hit-and-miss, with the emphasis on the miss. It also takes quite a long while, depending on the size of the image.

This is the part that takes the longest. Now that we have our cloned drive, we need to go through it and pull out all of the files we need and organize them. There are many ways to do this, but the easiest in Deft is to use the Hunchback GUI. This is a GUI front-end for for the scalpel and foremost command-line pieces. Options in Hunchback aren’t as robust as they are from the command-line, which is usually the case, but they were good enough for us.

I selected all the picture and video types, ignoring things like PDFs or EXEs. Then I pointed to another external drive (from a previous project) and told it to drop all the files that it found in that folder and arrange them by type. The software creates folders for each one and copies what it can accordingly.

Once that was done, I re-mounted the internal 750GB drive with full access, dropped the files I had sifted onto it, and I was done. Now, they could look through the files at their leisure (tens of thousands) and get their deleted files back.

A Further Word

This above, while definitely not a how-to, is a very simple way of getting data off of a Windows or other OS’s drive without disturbing the contents. You could even stop at the image stage and take it with you to sift later. It is an EXACT copy of the drive, deleted files and all.

Deft also contains a gargantuan number of other useful tools for doing things besides straight computer forensics. It also has utilities for network forensics, encryption study and more. If you’ve ever been interested in Computer or Network forensics, then Deft is a must have. It’s definitely tool number one on my belt for this kind of work.

-CJ Julius

About these ads

9 comments

  1. First off I would like to say great blog! I had a quick question that I’d like to ask if you do not mind. I was curious to find out you dealt with the 1TB drive and only making it 200GB? I keep getting errors.


    • You can simply let it run until you get the errors and then carve from that file. It doesn’t matter if the files “suddenly” end because the sifting will look at each entry individually anyway.


  2. There is certainly a lot to find out about this topic. It seems like there’s a lot of software out there for this, but I like Deft the best. Everythign is already installed. :D


    • There certainly is. Deft is the best that I’ve found so far. I may do a more in-depth look at some of the more obscure software later.


  3. […] month or so ago I did a walk-through of some simple computer forensics using Deft 7 Linux (Carve and Sift: My Primer to Linux Computer Forensics). There have been several other versions of this distro to come out since then, but now that the […]


  4. Way cool! Some very valid points! I appreciate you penning this article plus the rest of the website is extremely good.


    • Thanks!


  5. Fantastic goods from you, man. I have been aware of your
    stuff previously and you are simply extremely magnificent.
    I really like what you’ve done right here, certainly like what
    you’re stating and the best way in which you are saying it.
    You’re making it entertaining and you still
    care for to keep it sensible.


  6. […] month or so ago I did a walk-through of some simple computer forensics using Deft 7 Linux (Carve and Sift: My Primer to Linux Computer Forensics). There have been several other versions of this distro to come out since then, but now that the […]



Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 59 other followers

%d bloggers like this: