Carve and Sift: My Primer to Linux Computer Forensics01/05/2013
Actually, the title is a bit of a misnomer. I’d already learned a bit about computer forensics and the process of recovering files on Windows operating systems some years ago. I had pulled a lot of lost data from a machine that had unexpectedly quit working, saving a lot of customer data for a person who, for the sake of their employment, shall remain anonymous.
However, the method I went about it could hardly be called “forensics” as I had to install some software to a USB and I still had to boot into the OS. I did a lot of writing to the disk (a forensics no-no) and not much was really preserved intact, but I did manage to save what needed to be saved. It really didn’t feel like I had done anything that would be useful to, say, a crime lab.
A few weeks ago I was asked if I could perform such a task on a newer Windows 7 laptop, one with a terabyte hard drive, resurrecting some home videos and photos that had been deleted. I jumped at the chance for three reasons: First, these files were of special importance to this person, as one of the family members had died recently and had failed to back them up. Secondly, this gave me a chance to try out the new Deft Linux package on a computer that I could actively see if it was successful. Lastly, the data was relatively nonvolatile. If I accidently wiped it, then no one was getting fired.
I downloaded and burned Deft Linux 7 onto a DVD and got to work. Deft is a Live Disc, meaning that the OS loads from the DVD rather than a hard disk, and is largely based on Ubuntu. The Deft Distro itself is an amalgamation of both Linux and Windows software (through WinE) put together by some people in Italy. It has an English version, and is just about as all-inclusive as you can get with the Linux tools. It also is set up not to mount any drives until you tell it to, and even then you can specify to mount as read-only or full access.
After looking through the impressive and useful manual on their website, I concluded that the pieces of software that I was going to use for the job were cyClone, Foremost and Scalpel. Luckily, there is a GUI front-end for the latter and a menu-driven command-line interface for the former. This was just about as simple as it could get.
The first step in getting the data off of a drive is to Carve it. That is to say, you “carve” out the piece of the drive you want to look at and put it somewhere else, some place that ideally has more space or maybe more computing power. In my case, I didn’t have the time, nor interest, in installing the software on my Linux boxes, so I just carved and set it aside.
Also, I wasn’t particularly interested in the entire drive, as they only really used the first 200GB of the 750GB that had been allotted them on the main C: drive. It would have been too time consuming and not revealed much to look at the last ~550GB of it. So, I carved only the first 200GB and placed it on one of the SATA drives that I had made in a previous project. If you want to get really fancy, you can run the command-line dcfldd which is the US Department of Computer Defence Forensics Lab’s enhanced version of the dd command.
Remember before when I said that Deft didn’t mount the drive and you could select to mount as Read Only or Full Access? The reason for this is that data is written to the disk when they are mounted in Full Access mode which is default for almost every OS out there. If we’re police investigators trying to get clues about what’s on a computer, we certainly don’t want to taint the crime scene by scribbling all over it. Mounting a partition in read-only mode prevents the us or the OS from accidently doing just that.
This is the part that takes the longest. Now that we have our cloned drive, we need to go through it and pull out all of the files we need and organize them. There are many ways to do this, but the easiest in Deft is to use the Hunchback GUI. This is a GUI front-end for for the scalpel and foremost command-line pieces. Options in Hunchback aren’t as robust as they are from the command-line, which is usually the case, but they were good enough for us.
I selected all the picture and video types, ignoring things like PDFs or EXEs. Then I pointed to another external drive (from a previous project) and told it to drop all the files that it found in that folder and arrange them by type. The software creates folders for each one and copies what it can accordingly.
Once that was done, I re-mounted the internal 750GB drive with full access, dropped the files I had sifted onto it, and I was done. Now, they could look through the files at their leisure (tens of thousands) and get their deleted files back.
A Further Word
This above, while definitely not a how-to, is a very simple way of getting data off of a Windows or other OS’s drive without disturbing the contents. You could even stop at the image stage and take it with you to sift later. It is an EXACT copy of the drive, deleted files and all.
Deft also contains a gargantuan number of other useful tools for doing things besides straight computer forensics. It also has utilities for network forensics, encryption study and more. If you’ve ever been interested in Computer or Network forensics, then Deft is a must have. It’s definitely tool number one on my belt for this kind of work.