Thursday, April 24, 2008

Tactical Forensics Platform

Earlier I wrote about my proposed Tactical Network Security Monitoring Platform. Today I finally sat down and installed the operating systems I need on this system to create a portable tactical forensics and investigation platform. I did not want to use my main work laptop for this sort of work because I do not administer it. I needed my forensics platform to be separate from the corporate domain and totally under my control. I only feel comfortable attesting to the configuration of a system doing forensics if I built it from the ground up and I am the sole administrator.

For operating systems, I had three needs. I wanted Windows XP because the majority of commercial forensics software runs on Windows. I wanted Ubuntu Hardy Heron so I could have access to Linux forensics software and VMware Server. (Windows is also a possible VMware Server candidate, but I might install a copy of VMware Workstation on the Windows side.) I wanted FreeBSD 7.0 in case I needed to do packet capture and related network security monitoring tasks.

I decided to triple-boot these three operating systems. The box has three logical hard drives. Two are physical (147 GB each) and the third is a RAID 0 array resulting in a single HDD of 447 GB.

Before I got the following to work I had to experiment with various setups. The following is what I settled upon. I'm posting this information for future reference and for those who might want to try the same setup.

First I installed Windows XP on the only HDD it could see, one of the 147 GB HDDs. I thought this a little odd, but it suited my purposes. I rebooted and Windows started without incident.

Next I changed the default boot drive in the BIOS from the Windows HDD to the next HDD. I installed Ubuntu Hardy Heron Desktop on that second 147 GB HDD. I selected the "Advanced" option and told Ubuntu to install its bootloader into one of the drives (/dev/sdc, which turned out to be a problem) I was using for Linux.

When I tried rebooting, GRUB had created entries for Linux and Windows but neither worked. I realized for some reason the way the drives were ordered on the Ubuntu live CD/installer wasn't the same way they were seen by GRUB (or by Linux, once booted). I figured out this was the problem and manually changed the GRUB command line to boot properly into Linux. I needed to implement a similar fix for Windows. I'll show what the result was shortly. I made the changes to GRUB permanently before going to the next step.

Finally I installed FreeBSD 7.0, which saw the remaining 447 GB HDD as /dev/da0 and the other HDDs as /dev/ad4 and /dev/ad6. I didn't touch /dev/ad4 or /dev/ad6 but installed the FreeBSD bootloader into /dev/da0.

After a reboot I had to try various combinations to get GRUB to properly boot FreeBSD 7.0, but eventually I got that working too.

Here is how Linux's fdisk -l saw the computer:

root@nextcom01:~# fdisk -l

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0f8004b1

Device Boot Start End Blocks Id System
/dev/sda1 * 1 19456 156280288+ 7 HPFS/NTFS

Disk /dev/sdb: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x8f8004b1

Device Boot Start End Blocks Id System
/dev/sdb1 * 1 249 2000061 83 Linux
/dev/sdb2 * 250 747 4000185 82 Linux swap / Solaris
/dev/sdb3 * 748 3237 20000925 83 Linux
/dev/sdb4 3238 19457 130287150 5 Extended
/dev/sdb5 3238 4482 10000431 83 Linux
/dev/sdb6 4483 6972 20000893+ 83 Linux
/dev/sdb7 6973 7221 2000061 83 Linux
/dev/sdb8 7222 19457 98285638+ 83 Linux

Disk /dev/sdc: 479.9 GB, 479965741056 bytes
255 heads, 63 sectors/track, 58352 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0f800000

Device Boot Start End Blocks Id System
/dev/sdc1 * 1 58352 468712408+ a5 FreeBSD

Here is the GRUB menu I got working:
$ grep -v ^# /boot/grub/menu.lst 
default 0
timeout 10

title Ubuntu 8.04, kernel 2.6.24-16-generic
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-16-generic root=UUID=a3bc8e2b-0678-440d-877f-cecedce8fa9b ro quiet splash
initrd /boot/initrd.img-2.6.24-16-generic
quiet

title Ubuntu 8.04, kernel 2.6.24-16-generic (recovery mode)
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-16-generic root=UUID=a3bc8e2b-0678-440d-877f-cecedce8fa9b ro single
initrd /boot/initrd.img-2.6.24-16-generic

title Ubuntu 8.04, memtest86+
root (hd0,0)
kernel /boot/memtest86+.bin
quiet

title Other operating systems:
root

title Microsoft Windows XP Professional
root (hd2,0)
savedefault
map (hd0) (hd2)
map (hd2) (hd0)
chainloader +1

title FreeBSD 7.0
root (hd1,a)
savedefault
chainloader +1

I'll probably resize the Windows partition and add a D: drive. I just noticed I devoted the whole drive to C: during installation.

Update: I wasn't able to use the version of GParted available through Ubuntu (0.3.5 I think) to resize the C: partition but I did use the latest stable liveCD (0.3.6-7) to resize C: and create E: (D: was already the optical drive).

16 comments:

windexh8er said...

Interesting but seemingly a little over the top with a triple boot. Considering you can do anything in BSD that you can do in ok Linux and vice versa. Simple is better and you need a stable easily maintainable forensics platform. Not sure why you don't just stick with a lightweight linux distro (gentoo?) and run M$ in a VM with a dedicated interface if needed. Too complex to be a fast forensics box and time is critical when doing this sort of work.

Vivek Rajan said...

Richard,

Thanks for sharing your setup.

Just a couple of questions.

1. Did you install Win XP Pro 64 bit ? It would probably make very little difference because almost all apps run in WOW64 today. Still it would be nice to know your exact setup.

2. The box is sweet, but I noticed it had 7200 RPM disks. Does this constrain an otherwise high end box ?

3. Can you share with us what forensics software are you referring to that runs on Hardy ?

Once again, thanks for these types of posts. I look forward to following your progress on this project.

Anonymous said...

I am just curious the rationale behind the triple boot OS requirement for a forensic machine instead of building and using VM images of the needed OSes?

Cheers,
Caner

jdmurray said...

Is there any sort of assurance process to verify that the system is maintaining the integrity of the forensic data collected? It would seem that a special distro of OpenBSD or GNU/Linux should be used that can provide a very high level of forensic assurance.

Steve said...
This comment has been removed by a blog administrator.
paydayloans said...
This comment has been removed by a blog administrator.
paydayloans said...
This comment has been removed by a blog administrator.
paydayloans said...
This comment has been removed by a blog administrator.
paydayloans said...
This comment has been removed by a blog administrator.
paydayloans said...
This comment has been removed by a blog administrator.
paydayloans said...
This comment has been removed by a blog administrator.
paydayloans said...
This comment has been removed by a blog administrator.
paydayloans said...
This comment has been removed by a blog administrator.
jdmurray said...

The captcha-solving bots are getting smarter, I see.

Anonymous said...

Heh,

Windows doesnt preload sata or raid drivers into its install disk,yet another way for mass distributors to take a nickel.

Best Idea in the world,find driver for reading Raid\Sata drive and google nlite,then burn driver to boot cd and have at it,no f6 no 3rd party drivers needed,when you have to do these setups enough,this is a lifesaver.

jdmurray said...

Maybe the NSA's release of Linux is the one to trust the most:
NSA releases new version of Linux software