Tuesday, July 25, 2006

Updated FreeBSD Forensics

This morning I was reading the third edition of Anti-Hacker Toolkit. I realized no one had updated the section "Vnode: Transforming a Regular File into a Device on FreeBSD." Keith Jones wrote that section four years ago when he co-authored the first edition of AHT. That part of AHT shows how to mount a hard drive image as a file, such that the hard drive image can be examined in a forensically safe manner.

If you follow the advice in the book and try to vnconfig, you get this error:

orr:/home/richard$ vnconfig
ERROR: vnconfig(8) has been discontinued
Please use mdconfig(8).

Fair enough. Let's see what we need to do to use mdconfig.

I used the jbr_bank/forensic_duplication/JBRWWW.dd.gz hard drive image from Real Digital Forensics by Keith Jones, Curt Rose, and myself. If you want that image or any other files from the book, you'll need the DVD that ships with it.

After gunzipping the archive, I used mdconfig to create a vnode.

orr:/nsm/rdf$ sudo mdconfig -a -t vnode -f JBRWWW.dd
md0
orr:/nsm/rdf$ sudo mdconfig -l -u md0
md0 vnode 4.0G /nsm/rdf/JBRWWW.dd

I now have JBRWWW.dd attached to device md0. Let's see what it is.

orr:/nsm/rdf$ sudo fdisk /dev/md0
******* Working on device /dev/md0 *******
parameters extracted from in-core disklabel are:
cylinders=524 heads=255 sectors/track=63 (16065 blks/cyl)

parameters to be used for BIOS calculations are:
cylinders=524 heads=255 sectors/track=63 (16065 blks/cyl)

Media sector size is 512
Warning: BIOS sector numbering starts with sector 1
Information from DOS bootblock is:
The data for partition 1 is:
sysid 7 (0x07),(OS/2 HPFS, NTFS, QNX-2 (16 bit) or Advanced UNIX)
start 63, size 8401932 (4102 Meg), flag 80 (active)
beg: cyl 0/ head 1/ sector 1;
end: cyl 522/ head 254/ sector 63
The data for partition 2 is:

The data for partition 3 is:

The data for partition 4 is:


That looks like a NTFS partition. Time to mount it.

orr:/nsm/rdf$ sudo mount_ntfs -o ro /dev/md0s1 /mnt
orr:/nsm/rdf$ mount
/dev/ad0s2a on / (ufs, local)
devfs on /dev (devfs, local)
/dev/ad0s2f on /home (ufs, local, soft-updates)
/dev/ad0s2g on /nsm (ufs, local, soft-updates)
/dev/ad0s2h on /tmp (ufs, local, soft-updates)
/dev/ad0s2d on /usr (ufs, local, soft-updates)
/dev/ad0s2e on /var (ufs, local, soft-updates)
/dev/ad0s3 on /data (msdosfs, local)
/dev/acd0 on /cdrom (udf, local, read-only)
/dev/md0s1 on /mnt (ntfs, local, read-only)

So far so good. What do we see on the drive?

orr:/nsm/rdf$ ls /mnt
$AttrDef IO.SYS
$BadClus Inetpub
$Bitmap MSDOS.SYS
$Boot NTDETECT.COM
$Extend Program Files
$LogFile System Volume Information
$MFTMirr WINNT
$Secure arcldr.exe
$UpCase arcsetup.exe
$Volume boot.ini
AUTOEXEC.BAT ntldr
CONFIG.SYS pagefile.sys
Documents and Settings update.exe

That looks like a Microsoft Windows NTFS drive to me.

When done, I clean up.

orr:/nsm/rdf$ sudo umount /mnt
orr:/nsm/rdf$ sudo mdconfig -d -u md0

You can use this same technique with .iso's too.

orr:/data/iso$ sudo mdconfig -a -t vnode -f boot.iso
md0
orr:/data/iso$ sudo mdconfig -l -u md0
md0 vnode 38M /data/iso/boot.iso
orr:/data/iso$ sudo mount -t cd9660 /dev/md0 /mnt
orr:/data/iso$ mount
/dev/ad0s2a on / (ufs, local)
devfs on /dev (devfs, local)
/dev/ad0s2f on /home (ufs, local, soft-updates)
/dev/ad0s2g on /nsm (ufs, local, soft-updates)
/dev/ad0s2h on /tmp (ufs, local, soft-updates)
/dev/ad0s2d on /usr (ufs, local, soft-updates)
/dev/ad0s2e on /var (ufs, local, soft-updates)
/dev/ad0s3 on /data (msdosfs, local)
/dev/acd0 on /cdrom (udf, local, read-only)
/dev/md0 on /mnt (cd9660, local, read-only)
orr:/data/iso$ ls /mnt
TRANS.TBL etc images ppc
orr:/data/iso$ sudo umount /mnt
orr:/data/iso$ sudo mdconfig -d -u md0

I think that's neat.

No comments: