Posts Tagged ‘computer’


Linux Computer Forensics: Deft Linux 8.0b

Deft Linux 8.0b is out and it's looking great.

Deft Linux 8.0b is out and it’s looking great.

A month or so ago I did a walk-through of some simple computer forensics using Deft 7 Linux (Carve and Sift: My Primer to Linux Computer Forensics). There have been several other versions of this distro to come out since then, but now that the beta for 8.0b has been released publicly, it marks a slight shift in the way Deft handles.

While my previous guide is still valid, there are a few additions that really place this version above its predecessors. Now, I’m not going to go through every change, you can do that by going to their website, but there are some really neat features that I’d like to point out.

New Feel

The first thing that will hit you when you start Deft 8.0b is the new layout. While the base operating system is still Ubuntu (Lubuntu to be precise) the LXDE desktop has been further customized from its 7.x version and now looks and feels like its own OS rather than a 1-off from an Ubuntu derivative. The menu is themed for Deft 8.0 with a little 8-ball and more icons have been added to the bottom panel.

The Desktop is more reserved and better organized.

The Desktop is more reserved and better organized.

[Screenshot of Deft 7]
(Opens in a New Window)

The desktop still has the LXTerminal (a must) and the evidence folder, but gone is the “Install” option. Since this is a beta version it is unclear whether this is gone forever or if it will be back later. 8.0b is certainly installable as the boot menu attests.

Guymanager, a very nice disk managing/imaging tool, has been added as well as the file manager for quick access. You’ll see in my screenshots that there is a “Get Screenshot” icon on the desktop, but that was added by me for this article and is not default.

The menu panel is almost entirely new, with only LxKeyMap being carried over with the standard desktop selector. There is a whole host of new software moved in, some from previous versions of Deft but were housed in the menu (like Autopsy) or on the command line. All-in-all this is a good move, as the most used programs are put front and center and the more specialist and less-used are in the easily navigable menus.

New Software

GuyManager is a welcome addition to Deft 8.

GuyManager is a welcome addition to Deft 8.

Deft 8.0b brings a lot of new software to the distro by default and the latest versions of most of it. This version is 64-bit only, and able to work in up to 256TB of RAM. Previous versions could only “see” 4GB because of the 32-bit limitation.

Again, their post on the update gives a broader view of the changes, but there are a few that I wanted to note in summary:

  • Cyclone is now at 0.2 and appears to be mostly the same as before. I’m assuming the changes are back-end.
  • Sleuthkit 4.0 stable is now included, but the Deft devs say that 4.1 will be on the official 8.0 release. [Website]
  • Guymanager 0.7.1, mentioned before, is a very nice forensics tool/disk mounting utility. [Website]
  • Tor is now available pre-installed with browser. I’ve not much use for this, but it is an increasingly-popular internet-access method. [Website]

Skype Xtractor is also new and is probably my favorite addition to Deft 8. While I’m not a criminal investigator, and I’m generally only using the distro for file-recovery, its future utility could be invaluable. Skype Xtractor is a command-line program that extracts the tables from Skype’s main.db and chatsync files and outputs them to html. So far, you can only get it on Deft 8, but it’s so useful I can’t imagine that it won’t show up elsewhere.

New Everything Else

SciTE is a new-ish text editor to Deft 8 and is the sole resident of the new Programming menu.

SciTE is a recently added text editor and is the sole resident of the new Programming menu.

Almost every other piece of software has gotten an update since Deft 7 and some have been given GUI front-ends, which is nice for beginners or those not terribly familiar with Linux command-line. The focus on 64-bit architectures with this version will mean that it probably won’t supplant my use of Deft 7 completely; there are quite a few machines in use out there that are single-core systems.

If you’re familiar with Deft 7, then I’d recommend getting 8 and using it on your 64-bit machines when able, since everything that was in the previous version is in this one (even though it’s beta) and better. Switch back to 7 only if you have to do so. However, if you’re new to computer forensics then I’d recommend sticking to 7 or waiting for the official Deft 8 release which should be very soon.

-CJ Julius


How I Turned an Old Computer Into a Mobile Digital Vault


For a couple of years I’ve had an older HP AMD64 sitting around that the motherboard went out on, and I’ve been looking for a use for the parts. More specifically, I’ve been looking for a way to use the 500GB SATA HD that’s inside. It seemed like an awful lot of space to waste.

Stripped Insides of the old computer

I just took the HD, RAM and CPU.

I posted a while back on my Twitter (or possibly LinkedIn, it’s been a while) a link to LifeHacker’s “Five Best Drive Enclosures” and slowly the idea has been making its way up my project list.

But I wanted to one-up the project. I didn’t just want a portable hard drive, I wanted a device that I could move around, somewhat, and still be secured in the event that it was stolen. Basically I wanted a mobile digital vault.

First step was to get the drive out of the computer and into something that was useful. Referring back to the LifeHacker article before I chose the Rosewill RX-358 which met all of my criteria: It had to be cooled (fan), support larger drives (500GB) and be ESATA compatible.

HD just before putting top on

It slides right in to the connectors on the back and fits like it came from the factory that way. Kudos to Rosewill.

I dropped the old SATA drive into it, which fit snugly into the case. Once you put the Rosewill back together, it actually feels like it was factory built to be a mobile drive. It feels solid and secure.

I backed up any data on it I wanted, which wasn’t much, and then formatted the drive. I chose NTFS for the drive format type because both Windows and Linux, the two OSes I use most, can both read it. I didn’t plan to turn all 500GB into an digital vault, since I don’t have that many private documents, but you can certainly do that with the software.

Now that I had a newly-formatted 500GB drive I used TrueCrypt to create the virtual drive on it. This software runs on Windows, Mac and Linux, so a drive created in one is readable on any device that has TrueCrypt installed. This is of course assuming that it’s in a filesystem that the OS can read.

TrueCrypt Main Screen

The TrueCrypt Main Screen before I hit the “Mount” button. You can have several encrypted virtual drives running at once.

I tried initially to create a 50GB drive (more than enough for me) in NTFS through Windows, but for some reason Windows wasn’t able to write past about 7GB before shutting down. I tried again in Linux and it had no problem creating the entire 50GB partition and encrypting it with my key.

When I did this, however, NTFS was not an option and I chose EXT4 (Linux filesystem) instead. This meant that while I was able to mount it in Windows, I wouldn’t be able to read the virtual drive without some extra work. This was fine for me, as I use Linux primarily. If you are trying this on your own, keep this in mind.

After the new drive was created, formatted and mounted (with password required)*, I put a copy of a faux folder called “Important Documents” into it with a few files and dismounted. The dismounted virtual drive was an unintelligible mess with no indication of what it was supposed to be, which is exactly what you want.

My "Important" documents

My “Important” Documents encrypted and decrypted fine. Ubuntu acts like it’s just another drive, but in Linux it isn’t in fstab so it won’t show up in your Unity dock.

The device mounted again, after rebooting on the machine it was created on and on another system entirely, showing me my documents in good condition. I was able to mount it on Windows as well, though as mentioned I was not able to read the files from it. I tried a program that was built to read mounted EXT2/3/4 drives, but it didn’t seem to pick up my encrypted drive. There are other methods, such as installing a driver to read the other filesystems, but since this was not a high priority for me I did not do it. Perhaps I will try those options later. I’ll post an update on this blog post if I get anything to work (or not!).

So, there you have it. I now have a 500GB mobile drive with a 50GB digital vault. I would recommend also putting a copy of Truecrypt on your un-encrypted portion so you can install it if need be. If not that, then you can do as I have and sync the installer to your Dropbox. My method, of course, assumes that you’ll have internet access. I wouldn’t recommend encrypting the entire drive for this reason as well, especially if you have a large one. Truecrypt is very smooth, but you don’t want to have to do that every time you get on your drive to move some pictures or something.

Rosewill Running

The Rosewill attached via the ESATA port. The blue lights are factory standard.

Any way you go about it, this is a good way to securely move your data around. If the unthinkable happens, you’ll know that you don’t have anything to worry about… other than getting a new mobile drive.

*Note: Just to give you an idea of the power of the encryption technology in use, with AES encryption it would take a trillion computers doing a billion brute force attacks (password guesses) a second, two billion years to break into your data. Fort Knox wishes it was this secure.

-CJ Julius